Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp472019pxy; Wed, 28 Apr 2021 07:54:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuea7pcfMiRYaHalIwItw36MGrapBFfIkxuXoa09fQt6QwF7La/SGTDqKgiGe+lsdDVxxr X-Received: by 2002:a63:d714:: with SMTP id d20mr27428913pgg.285.1619621663796; Wed, 28 Apr 2021 07:54:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619621663; cv=none; d=google.com; s=arc-20160816; b=TnLUS+/WMMvJVJGBy2APlKzMritVZNWg0dxnkQtqrwxYEtOmHMgDZuCUpL5HAqbzqK jnIUEbBbzzCZrcJ3ZAdYIAelukvEP8k1OD7EaAHQ8MASP1eO5NM2lsvBk7fw3tyCRDXj uj+xvd1K33p+k/ToCIMsTuUkEnjqPz4B8MPdPGyZiPB21tXJrSNCcpnA4bGsWUGmRftJ yiXdFjRuRXZLAOamQcstTcQ/Da2E9JlE8n02+BCbT0x77izIiPd4Z06dm0EysE3WbQ3s m9rAhzi6cxgPjJWpFi6Ni8Jtfs0vf7h1JG4D/FkPae4pHAYwA2YVj16YXKX8LZi5nBIz eXlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=uIGj9FC9IzQAq2GBbgZ3dpBuRxuZ1w8kk9zAVN1t/ks=; b=rpieb9Lktq/xMm1c2yXUAwH1X+kYX/kFQxNofvnBvgWZr+LWOufhXmvCCLCagypxuS rZJl9nUO+2nz2TWNKnsQ7BTWkWoPA2zTB3oZVjaCGS++vakjZK+Dnn3Y+jCwMFfedxnz Ya+id7XvRAAxtrRov1f8ivi5+Jf7ZkerAYHGxg1rIv+BK/JEbyxG2LiA9RuEPneJWCD+ TlmoFnlOU9pycaYo199mzF8jTRqrva62K4bAVI50mOYqt7mhkr+MCWcBv9dO0N9+oFNB 7e/kLr/87DRXSPhpDUE8O5aH/9zRArR/fPeUGC0IBMys/pH/3i/LDFRNWdFIbQMD3O6q ukuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=Atxh07MD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kinvolk.io Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n11si3622093pgp.127.2021.04.28.07.54.09; Wed, 28 Apr 2021 07:54:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=Atxh07MD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kinvolk.io Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239748AbhD1NV0 (ORCPT + 99 others); Wed, 28 Apr 2021 09:21:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239702AbhD1NV0 (ORCPT ); Wed, 28 Apr 2021 09:21:26 -0400 Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 220A3C061574 for ; Wed, 28 Apr 2021 06:20:41 -0700 (PDT) Received: by mail-lj1-x232.google.com with SMTP id o5so39104851ljc.1 for ; Wed, 28 Apr 2021 06:20:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uIGj9FC9IzQAq2GBbgZ3dpBuRxuZ1w8kk9zAVN1t/ks=; b=Atxh07MDqbbW6/8ErsAvnGFkCNHvXe2vYe9WACJaEyB7bJkjnALZzk1jNN5xtWCwrG izIca9U7kp1F/dB6FgQJwUeWw7/HVJ0fhgnwgHlW7VnhUz8cjI9OCl1ep8aGKyoYnpMp qwRrem0ZKmJaX7mt0eVuN+e18X4/U3KpboD1U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uIGj9FC9IzQAq2GBbgZ3dpBuRxuZ1w8kk9zAVN1t/ks=; b=rhZxelH75OqbYlQoi0wEnNf0m+AvqMkRWnpZ99gvcUlvAWZLEDxc9pYt6iZtSq8cS0 qyZRLGeDYPfmONB1cyb9O3CABkQ/L5AN6FplUKVVdmyk+syjufUmHTL5XWEMtLeT/cXe Pg3Hu71Ubwh5Pnl0/nhNY2lI5cTKYg0JtfgHSekDvv85cOYmhgHFqJxtltgr+S1TMeHA H9Jf3fL74RYmdP/hvSetDBxWKKFDErj4GMtNlBRDHHE5oN9bAXS6j0It9LNbbJ5jh4Lx 7Hr6pfLtBTGd45/pzGJSt5S1ObMww7Eng+1UCbXu54p47qJOuRktFvWiBIXICQ+6rTCi uooQ== X-Gm-Message-State: AOAM531i3ERciG9peyx1NONxOZc4aDpVF14JVw/7xtKhLlBWSPBkBK1K u20Cx8i2NI7uLWlo0gOnZrjjzHFm7ESYch6r8VBzyg== X-Received: by 2002:a2e:9b50:: with SMTP id o16mr21000868ljj.8.1619616039596; Wed, 28 Apr 2021 06:20:39 -0700 (PDT) MIME-Version: 1.0 References: <20210426180610.2363-1-sargun@sargun.me> <20210426180610.2363-3-sargun@sargun.me> <20210426190229.GB1605795@cisco> <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> <20210427134853.GA1746081@cisco> <20210427170753.GA1786245@cisco> <20210427221028.GA16602@ircssh-2.c.rugged-nimbus-611.internal> <20210428002215.GB1786245@cisco> In-Reply-To: From: Rodrigo Campos Date: Wed, 28 Apr 2021 15:20:02 +0200 Message-ID: Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier To: Tycho Andersen Cc: Andy Lutomirski , Sargun Dhillon , Kees Cook , LKML , Linux Containers , Christian Brauner , =?UTF-8?Q?Mauricio_V=C3=A1squez_Bernal?= , Giuseppe Scrivano , Will Drewry , Alban Crequy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 28, 2021 at 1:10 PM Rodrigo Campos wrote: > > On Wed, Apr 28, 2021 at 2:22 AM Tycho Andersen wrote: > > > > On Tue, Apr 27, 2021 at 04:19:54PM -0700, Andy Lutomirski wrote: > > > User notifiers should allow correct emulation. Right now, it doesn't, > > > but there is no reason it can't. > > > > Thanks for the explanation. > > > > Consider fsmount, which has a, > > > > ret = mutex_lock_interruptible(&fc->uapi_mutex); > > if (ret < 0) > > goto err_fsfd; > > > > If a regular task is interrupted during that wait, it return -EINTR > > or whatever back to userspace. > > > > Suppose that we intercept fsmount. The supervisor decides the mount is > > OK, does the fsmount, injects the mount fd into the container, and > > then the tracee receives a signal. At this point, the mount fd is > > visible inside the container. The supervisor gets a notification about > > the signal and revokes the mount fd, but there was some time where it > > was exposed in the container, whereas with the interrupt in the native > > syscall there was never any exposure. > > IIUC, this is solved by my patch, patch 4 of the series. The > supervisor should do the addfd with the flag added in that patch > (SECCOMP_ADDFD_FLAG_SEND) for an atomic "addfd + send". Well, under Andy's proposal handling that is even simpler. If the signal is delivered after we added the fd (note that the container syscall does not return when the signal arrives, as it happens today, it just signals the notifier and continues to wait), we can just ignore the signal and return that (if that is the appropriate thing for that syscall, but I guess after adding an fd there isn't any other reasonable thing to do). Best, Rodrigo