Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp768080pxy; Fri, 30 Apr 2021 16:24:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLRBbt1QSg08IkZ+TpZMR/MbfRFlPbrLRjnQuINl8ot1k0ObGhqBYMmhtvjw9eAeyeCCHu X-Received: by 2002:a05:6402:520a:: with SMTP id s10mr8767590edd.183.1619825067094; Fri, 30 Apr 2021 16:24:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619825067; cv=none; d=google.com; s=arc-20160816; b=HVUjUFIqBSmMN721yCmrHJreI+dj3LMmmudSgkyic89fGi8txPX3I2gGNz3QNNUN6C bN9DocKdJdoc9iYb9e2r6P/XaMKhPNA8S5fVC4Fxzn35z9lIY7w9qm2z8rCoY9zsqQkV synf1tCw9o4VgFyXc4n5fMb26UlhphX896dieS9PjskZy09FA9ewuubTSgHdc3wWw9OC gLEMcp1+fFt5fx5FyEg1KgiPTiIvIBjx3kYdZlaeoDYjE9rDz93g/Ba8l67Kafb5iCBv /lnBBqgMRzYKCCAr/u1894cxZAigxkul4ZmZo5Lo6CupBO2oxadEaAhcgPMS+pFsUrA4 1jaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hDz3ucsXVfwqNz0lrkrVT/DC0ujhGyKNdp3Ke18btn8=; b=vItuHM3ChKhO4MZ65SQDklqzrvasu8e8kJFAavjBZNyEkKPxqTHpVVuWqbYKAb1hvN lcVja1NQWY7aim5lXow8coLkugfQhVisxU2ixTIFFZsD9++d/JhV5XLiq1B4A/VjdI/8 5OTs1f35FyD421HAUAKM2/2NGLHossG+9Ido272sPE1E656FIF2ZCXm7A7Oy6GxwhqXn aetvoj2Zy1DqYkJwWQKJqk/9ALfHtNZxYFvnEwAfSMnUz9rHdqNEh4C7n+lQM7xHmqFU wAHx56oMvB6bdr91Zh5rNH6mHBWcUkrjqSKf3wMwDsuEq6J8jWu2bOosEPQEzPnuzwrf rc+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TPkhZLN8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x9si5366346eje.242.2021.04.30.16.24.03; Fri, 30 Apr 2021 16:24:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TPkhZLN8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232781AbhD3XXu (ORCPT + 99 others); Fri, 30 Apr 2021 19:23:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:41934 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230508AbhD3XXu (ORCPT ); Fri, 30 Apr 2021 19:23:50 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BFDF61420 for ; Fri, 30 Apr 2021 23:23:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1619824981; bh=uKGdbljdVGUHQi7F59H24hqyS4ay41ngXPz142NF5VI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=TPkhZLN8mxjWxsgT2WPk6oH1cLXMqqQ9nnNWxI2CV/P0LxdgS7LzVsu/LCcj6nit6 DQ+JZSJYMwiLuiGeT9hGYIHEuYmR4x4m2fppC89xVc5IYdj556kY8bBBaLiX4JoZ/8 1gZQOtXikpwQ3F20xGKHAqFucv8Cw4KGPJGoyWKpIIP96ZnCHnnPw957QRSovdurJZ dFTyt/QhMEYMgsGXoH0a2ZLQwTrhYGzljRHwIyTNXPv2J4X6VzNp2atvIx2BGi5fg2 DPDux58pdd/B+A6caPBaCyyVVF9znLS/6Qbs/aLJESz314TbkYzrC+Dis97QWPz3rV vYzTl0Cnrm1kw== Received: by mail-ej1-f43.google.com with SMTP id u17so107684583ejk.2 for ; Fri, 30 Apr 2021 16:23:01 -0700 (PDT) X-Gm-Message-State: AOAM532ebghsIqUsC5FdV6m2TxvtqnBcXTuPtg1svG0MgKiPd9Y5rkZ4 2Wfwi6QjqJ9AR0AB4mSSv2VOT6qF8aldwekFVx6FNA== X-Received: by 2002:a17:906:c010:: with SMTP id e16mr6883221ejz.214.1619824979806; Fri, 30 Apr 2021 16:22:59 -0700 (PDT) MIME-Version: 1.0 References: <20210430204939.5152-1-sargun@sargun.me> <20210430204939.5152-3-sargun@sargun.me> In-Reply-To: <20210430204939.5152-3-sargun@sargun.me> From: Andy Lutomirski Date: Fri, 30 Apr 2021 16:22:48 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 2/5] seccomp: Add wait_killable semantic to seccomp user notifier To: Sargun Dhillon Cc: Kees Cook , LKML , Linux Containers , =?UTF-8?Q?Mauricio_V=C3=A1squez_Bernal?= , Rodrigo Campos , Tycho Andersen , Giuseppe Scrivano , Christian Brauner , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 30, 2021 at 1:49 PM Sargun Dhillon wrote: > > The user notifier feature allows for filtering of seccomp notifications in > userspace. While the user notifier is handling the syscall, the notifying > process can be preempted, thus ending the notification. This has become a > growing problem, as Golang has adopted signal based async preemption[1]. In > this, it will preempt every 10ms, thus leaving the supervisor less than > 10ms to respond to a given notification. If the syscall require I/O (mount, > connect) on behalf of the process, it can easily take 10ms. > > This allows the supervisor to set a flag that moves the process into a > state where it is only killable by terminating signals as opposed to all > signals. The process can still be terminated before the supervisor receives > the notification. This is still racy, right? If a signal arrives after the syscall enters the seccomp code but before the supervisor gets around to issuing the new ioctl, the syscall will erroneously return -EINTR, right? Can we please just fully fix this instead of piling a racy partial fix on top of an incorrect design? --Andy