Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp618736pxy; Wed, 28 Apr 2021 10:35:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy509bZ5ry7I0BzdD2Mju1gZIkvfza7+cTlzumZiT5/jGM4GvzekY9ne9dscAEui2SQeNgm X-Received: by 2002:a17:906:74c6:: with SMTP id z6mr12917575ejl.13.1619631317020; Wed, 28 Apr 2021 10:35:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619631317; cv=none; d=google.com; s=arc-20160816; b=xX/EGll93jRvtM+4GUxWxIlQYemQwVfKBZmTreK6mT39eCByYu9XRVmzOJSdfOFtxO 9Zk0vKK3UBam/5xIQU1V1Jw4k6uEe7vMRBrP3DPzxQfuh4rlruBgnSzYc6nlM5OlP4NN OzgB0ojK+b8F7fWjCop12EgsMk/H3nTDpkekx1hI8MJ6h6jV9BtYLXqedVN1i2kT9s8s cW6NZ9ZNkIZw6j8sGmAA8xJnmuLbV4OMg32x5qrTzSUh/WTwPiM2dZd0MKLniADe0wfo RJRLVYZP5ZdY5Llat8NZ8rww7fzWJUzYYJKf2ZbEetHMU4uGaoDPaRb1aL+jZKHijcH+ rYWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=czH9iPt1oe0ViL1vs30hEmtJagLUs283mfCg69IYZBo=; b=zxX89FqRwpLtcL9d4YodRqOE7wR36XdiuEseligfxNNSIQy1TDn+uAJjkgwfPmYYYq HT0h0nTfPxZ1icnuoq3l9ldFeUMyfKS5sGjRfHUTzhmC/+qgGS1iTscG71WFpRaUvp6P mmPKyprTeaunFkHmvKxT+vs692jE7mDpMamlfBsJ9oFbGqfzc5iDEy14du7NrDNgU6bP KV8kF9woNzzaekJ6N2RsDUIXb20j+Y+YUwXnpzcXAZX/QHtsNJgRMukNCjg2YwDtuzhR 46XkbzKCAlKqbvyYYMG1LlBceVnZ7oGpi9kbyayVpDVGEWgJmzMde0UFUYqCcRVG80M/ I3xQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm3 header.b=sV37b5AM; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=cq50BgRK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r6si621199ejr.189.2021.04.28.10.34.53; Wed, 28 Apr 2021 10:35:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm3 header.b=sV37b5AM; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=cq50BgRK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230166AbhD1OJr (ORCPT + 99 others); Wed, 28 Apr 2021 10:09:47 -0400 Received: from new3-smtp.messagingengine.com ([66.111.4.229]:47813 "EHLO new3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230463AbhD1OJU (ORCPT ); Wed, 28 Apr 2021 10:09:20 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailnew.nyi.internal (Postfix) with ESMTP id 2A6BF580C4D; Wed, 28 Apr 2021 10:08:21 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 28 Apr 2021 10:08:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=czH9iPt1oe0ViL1vs30hEmtJagL Us283mfCg69IYZBo=; b=sV37b5AMGuS8AbmPmPqEKPlRIcvXb/683GEBq7Nir8C 74JEYwMMAbb4dG+AipiUxpBo9LBvuhGoxxXVzIFWqSMqQYInAlyyjUxBT1Dmfs9S GeJ5gsmdNiKis5/wJLzmx116mWJ6LADTthp7PhyQ5QFj4c0iHFWRI7GYPb8bCOUL krEKJp5j/bZQhquctNbCAeRZ7lHBiOYmrT1o8mD2gFD4uhB6v7wTfFtxUNYgkTiJ b0w8ZHwpDpnV9QQeOIB6hkin3csqb5HqPqgr7k3DmjK+v6ImZ7bPQBkH0ATIEYJL mSV6CdIZh0iiICiG8L0uor9ZGY2ldnK8VBfdp4PpQEg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=czH9iP t1oe0ViL1vs30hEmtJagLUs283mfCg69IYZBo=; b=cq50BgRKSbQFNnrGYCfYqR 064ASNkT+tPvwaclIkVfcO/waNEDb0wf/5yGQNYAmsozPlHevmZR+9b3QeWyNtHp DwtM4uzqYAEmlag1FMKkloJhveMJyFeleWtw6zOR66XpgH66KjHwxLS7M/qdKjvW OeOnmsswXsnspLQHj+m1b5G7nGa6vzEYRpZm8r/3rzR/W8H8/nIZWb8/IrJT6uAZ zjXWq5c6T5XmgeP3r2oaqXWYV6r6SHLGGXHfyaHeK6S3xuvpVcXmyAn+lCGljeGx W5dht0KuvUNQPJaQlDnfkahu/bCeah1WRSVu2QrnUHec7Xgkfx3lyvJKBiQP6rvg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddvvddggeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefvhigthhho ucetnhguvghrshgvnhcuoehthigthhhosehthigthhhordhpihiiiigrqeenucggtffrrg htthgvrhhnpeegkeefjeegkedtjefgfeduleekueetjeeghffhuefgffefleehgeeifedv gfethfenucfkphepudejgedrhedurdduvddrkedunecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirg X-ME-Proxy: Received: from cisco (c-174-51-12-81.hsd1.co.comcast.net [174.51.12.81]) by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 28 Apr 2021 10:08:19 -0400 (EDT) Date: Wed, 28 Apr 2021 08:08:17 -0600 From: Tycho Andersen To: Rodrigo Campos Cc: Andy Lutomirski , Sargun Dhillon , Kees Cook , LKML , Linux Containers , Christian Brauner , Mauricio =?iso-8859-1?Q?V=E1squez?= Bernal , Giuseppe Scrivano , Will Drewry , Alban Crequy Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier Message-ID: <20210428140817.GA1965193@cisco> References: <20210426190229.GB1605795@cisco> <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> <20210427134853.GA1746081@cisco> <20210427170753.GA1786245@cisco> <20210427221028.GA16602@ircssh-2.c.rugged-nimbus-611.internal> <20210428002215.GB1786245@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 28, 2021 at 03:20:02PM +0200, Rodrigo Campos wrote: > On Wed, Apr 28, 2021 at 1:10 PM Rodrigo Campos wrote: > > > > On Wed, Apr 28, 2021 at 2:22 AM Tycho Andersen wrote: > > > > > > On Tue, Apr 27, 2021 at 04:19:54PM -0700, Andy Lutomirski wrote: > > > > User notifiers should allow correct emulation. Right now, it doesn't, > > > > but there is no reason it can't. > > > > > > Thanks for the explanation. > > > > > > Consider fsmount, which has a, > > > > > > ret = mutex_lock_interruptible(&fc->uapi_mutex); > > > if (ret < 0) > > > goto err_fsfd; > > > > > > If a regular task is interrupted during that wait, it return -EINTR > > > or whatever back to userspace. > > > > > > Suppose that we intercept fsmount. The supervisor decides the mount is > > > OK, does the fsmount, injects the mount fd into the container, and > > > then the tracee receives a signal. At this point, the mount fd is > > > visible inside the container. The supervisor gets a notification about > > > the signal and revokes the mount fd, but there was some time where it > > > was exposed in the container, whereas with the interrupt in the native > > > syscall there was never any exposure. > > > > IIUC, this is solved by my patch, patch 4 of the series. The > > supervisor should do the addfd with the flag added in that patch > > (SECCOMP_ADDFD_FLAG_SEND) for an atomic "addfd + send". > > Well, under Andy's proposal handling that is even simpler. If the > signal is delivered after we added the fd (note that the container > syscall does not return when the signal arrives, as it happens today, > it just signals the notifier and continues to wait), we can just > ignore the signal and return that (if that is the appropriate thing > for that syscall, but I guess after adding an fd there isn't any other > reasonable thing to do). Yes, agreed. After thinking about this more, my example is bogus: the kernel doesn't sleep after it installs the fd, so it would ignore any signals too. Even if the kernel *did* sleep after installing the fd, it would still be correct emulation to install it and then do whatever the kernel did during that sleep. So I withdraw my objection :) Thanks, Tycho