Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp768142pxy; Wed, 28 Apr 2021 13:53:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzc2gnTbdni6mVXmB553PefWxyfar0h7TDAniKnNDIYCFhvJPr3ZaKSf46l0CxiqiMMaKZI X-Received: by 2002:a05:6402:1d26:: with SMTP id dh6mr14059120edb.341.1619643146901; Wed, 28 Apr 2021 13:52:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619643146; cv=none; d=google.com; s=arc-20160816; b=dQie8H5Fkt9HiGsa3VwNVL2g3/ytaATb2kcY/bKTC+ouDud7ZqF8oiy6JiTjucaslI UuSlzWDIHYaMHiNIiaQ3dPABw99a3XnZJeVX0i1ekFupdU9GXK+2z5Bv1uGv8rti6sqC sD0Fm0hW1PRijw4s7TNjV5ugFkZ/rcBHT2ImkopH4KOyoJ5TQVM3HY934WXy1vdgJOIy hUzpJ89B5Ei5rRgWA1vPlZsV4qSyKBwxsf97ueBKsp0QhYw8XEc6WvOG9Q0NDGXyO2g9 WkcZTUt9AKF1oiaQ0DxdEnFAk6b54ODnJr9OwVtHIC5perL4ZBV4ogjI2FFmgZbmx5lf EumQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ooT7AWKBiLRbLDiDxglHtQCKmVnoRiy1bmtiucHGkh4=; b=T/uuApVyAw6/vtcND790WJpZwFVcBSg2ItHJXxODaZzQ138EItxnuak0x+HWwYBVJp o0Ter2L8ob5yPQihw6fycPRt/at6PgqGq5Sitwi1T5cVW4psmA1JmF3GeWcWtD95WYiW z7SIpn13DgnQpf4FE8cGxhNIuPQGnbs5oliqIgg3A0lXqmbeSXFH+PkCCEEmp8wQ49pw QHuNEYm1AdUPuG49NpyfEcck6xtNDKaTssLhbW3Odt5YTzmxgZPoWoWngbL8B5HVD/UM FRub6ku0l39Tu8gVLkJnWhqGbn2s7DSfUYbCQpgKNOEtsbGOH2az9w7qHhqtbs/FTit4 kCIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=KhqAVRWw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p13si1198699ejb.542.2021.04.28.13.52.02; Wed, 28 Apr 2021 13:52:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=KhqAVRWw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237582AbhD1ROa (ORCPT + 99 others); Wed, 28 Apr 2021 13:14:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231560AbhD1RO3 (ORCPT ); Wed, 28 Apr 2021 13:14:29 -0400 Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C273C061573 for ; Wed, 28 Apr 2021 10:13:43 -0700 (PDT) Received: by mail-io1-xd36.google.com with SMTP id p8so10663483iol.11 for ; Wed, 28 Apr 2021 10:13:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ooT7AWKBiLRbLDiDxglHtQCKmVnoRiy1bmtiucHGkh4=; b=KhqAVRWwQscEwvGBMS+mDXMj0e7K2zmCCJ1Bw1N7CpwQQB8REHnna3pQN7wY9J2xm/ jX4G+whsufvmbwYRPELfw1v1Y9BTSIJR0Aii2E7MWOsjb3etRrjBMg+IhZC3A0fbHAmc uMasgnBQtpi/DWICXFEaAFt65LtWj2ZfmL96k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ooT7AWKBiLRbLDiDxglHtQCKmVnoRiy1bmtiucHGkh4=; b=afvoQP20tku8pDDfbS+fvVYTePkU6hlPnINEel/4FHzX3SF+Wd9q1AlH8BdvN7J88M 08SfgnqJmCT/QJ8ZsPU+KtK9Puv0c4mh2zA1I9jl0k+KEFB6R+esyGmQnqCc8LxFYgEA gMgnzM6aYYE/fbtrU/LloYhZh4ofjHWlG4Bv4eDO1AH8/10M8N/msy771Y8ghS9qJdXE lJgC7utYx94A/qCmmmZ4omE/xBo09lcRhQucCVbhMrAKy3EkgS6DUO/7Itucs5ReBHU0 2Qr0rVlUmCi2SIihx6ttyBD6lkA7NOMJrmskORJGpvVP0OSWuqGWSO5kj2VJRQYxlScI 8d9g== X-Gm-Message-State: AOAM5312BFGeHT8aUMrLPtv4IsWnoYsCvMQpHEO256pmOJ1VKWzcnss6 kMIrfeGHH74MY1qboud2Xc9lDRxZMnG04Wx1hlEVRA== X-Received: by 2002:a02:a695:: with SMTP id j21mr17121924jam.29.1619630022507; Wed, 28 Apr 2021 10:13:42 -0700 (PDT) MIME-Version: 1.0 References: <20210426190229.GB1605795@cisco> <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> <20210427134853.GA1746081@cisco> <20210427170753.GA1786245@cisco> <20210427221028.GA16602@ircssh-2.c.rugged-nimbus-611.internal> <20210428002215.GB1786245@cisco> <20210428140817.GA1965193@cisco> In-Reply-To: <20210428140817.GA1965193@cisco> From: Sargun Dhillon Date: Wed, 28 Apr 2021 10:13:06 -0700 Message-ID: Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier To: Tycho Andersen Cc: Rodrigo Campos , Andy Lutomirski , Kees Cook , LKML , Linux Containers , Christian Brauner , =?UTF-8?Q?Mauricio_V=C3=A1squez_Bernal?= , Giuseppe Scrivano , Will Drewry , Alban Crequy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 28, 2021 at 7:08 AM Tycho Andersen wrote: > > On Wed, Apr 28, 2021 at 03:20:02PM +0200, Rodrigo Campos wrote: > > On Wed, Apr 28, 2021 at 1:10 PM Rodrigo Campos wrote: > > > > > > On Wed, Apr 28, 2021 at 2:22 AM Tycho Andersen wrote: > > > > > > > > On Tue, Apr 27, 2021 at 04:19:54PM -0700, Andy Lutomirski wrote: > > > > > User notifiers should allow correct emulation. Right now, it doesn't, > > > > > but there is no reason it can't. > > > > > > > > Thanks for the explanation. > > > > > > > > Consider fsmount, which has a, > > > > > > > > ret = mutex_lock_interruptible(&fc->uapi_mutex); > > > > if (ret < 0) > > > > goto err_fsfd; > > > > > > > > If a regular task is interrupted during that wait, it return -EINTR > > > > or whatever back to userspace. > > > > > > > > Suppose that we intercept fsmount. The supervisor decides the mount is > > > > OK, does the fsmount, injects the mount fd into the container, and > > > > then the tracee receives a signal. At this point, the mount fd is > > > > visible inside the container. The supervisor gets a notification about > > > > the signal and revokes the mount fd, but there was some time where it > > > > was exposed in the container, whereas with the interrupt in the native > > > > syscall there was never any exposure. > > > > > > IIUC, this is solved by my patch, patch 4 of the series. The > > > supervisor should do the addfd with the flag added in that patch > > > (SECCOMP_ADDFD_FLAG_SEND) for an atomic "addfd + send". > > > > Well, under Andy's proposal handling that is even simpler. If the > > signal is delivered after we added the fd (note that the container > > syscall does not return when the signal arrives, as it happens today, > > it just signals the notifier and continues to wait), we can just > > ignore the signal and return that (if that is the appropriate thing > > for that syscall, but I guess after adding an fd there isn't any other > > reasonable thing to do). > > Yes, agreed. After thinking about this more, my example is bogus: the > kernel doesn't sleep after it installs the fd, so it would ignore any > signals too. > > Even if the kernel *did* sleep after installing the fd, it would still > be correct emulation to install it and then do whatever the kernel did > during that sleep. So I withdraw my objection :) > > Thanks, > > Tycho Great. I'll respin the series and add a SECCOMP_IOCTL_NOTIF_SET_WAIT_KILLABLE command. We can do the other aforementioned optimizations above when specific use cases come up. I would like to work on preemption notification after this lands though.