Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp795150pxy; Fri, 30 Apr 2021 17:11:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzgVBdCE8EgsnIOBWsuVZHROHVmNKBiJ7BVnBe+rLxec2PFIVBdq79SXSyL/KJTm7/fHWSQ X-Received: by 2002:a17:902:122:b029:e8:bde2:7f6c with SMTP id 31-20020a1709020122b02900e8bde27f6cmr7758608plb.29.1619827867184; Fri, 30 Apr 2021 17:11:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619827867; cv=none; d=google.com; s=arc-20160816; b=Opdjy+sRl7/mEUM+T5eq8XE720F28CzYw11isYQzmTUZ/lyGo9a0RcWT+X9gYtzTd4 U+fuEAeS5PRhNNBCBdB4YkxnWOhvyUN9x1ZqUWro5Vq3Crs75Jv734o3peX0cbsR8zkP T/gbA0IIWZfyx9cBh+gHIUUMc9PNoXZo7/v39coMYs16MWikiW/SqUCRsa8bv6cPIH7h h/qDDtpihGE0oIpv4GpEYtRXEiUpZSxjZt/PXwU/Rtg5h2CVeFyLrma8iZ8E/z8SNMcz t8eMEMgJCz/K7TCzhfyqr74ofNkhGxmAyzzbicwR8oCz8VTMpq6b9QffVhM8J8sJTuIH 7ElA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8nmI0Z6GpJ669OoqTL4ZRS5HBzAE6mZbx+jGtxyj3s4=; b=FXqk4aPyBFI1/Xno3EkTjDneU4AzXNjXAxNPy3HKtTVs4nCX0BN8lSAV2jqbhudopt VT/o4C0LecSNRwxK4QfjLsLlZF7hXuvyEZmyIiwfvQTHiXyWWtmBgGzn2+bVUWUAC3rM 9hvgH+Jr2oMVEhh8deSgvpsKwqK66RjnUZFiHqXXuHgBduzMWpofS0fcaDzYHNs4KtO8 Ld+zfWjj1XVXh+TUlAzzXT+YxcMcgWW1oYg2egxmGquIZgNAPsGFoQ/QZTuVOJ80Zbqf 8OaCfkgrPQCPiYwh5/sTB4fGxiwIqtN2bv6JJ89i9lGfWOIu/vobjT+zMQKUPzp/ga7Y lISw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=TAk5su9x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b1si15881822pjp.3.2021.04.30.17.10.52; Fri, 30 Apr 2021 17:11:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=TAk5su9x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233090AbhEAAKx (ORCPT + 99 others); Fri, 30 Apr 2021 20:10:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232893AbhEAAKx (ORCPT ); Fri, 30 Apr 2021 20:10:53 -0400 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B4B8C06174A for ; Fri, 30 Apr 2021 17:10:03 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id b10so11534446iot.4 for ; Fri, 30 Apr 2021 17:10:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8nmI0Z6GpJ669OoqTL4ZRS5HBzAE6mZbx+jGtxyj3s4=; b=TAk5su9x4YNFiIahiV9a5aaJzJsZ734/S9ixVX7Bz0n5yF+3hMGaPGzcXNECetsqWg JkHS1ySxd3AQSEDQjy+xEZqIembgrUUi7vL6ea9plM5m16ZqVnUV0HCviU/AnqQAXtPQ WY0OTMD6LH4B6yZmmlK4gYsgcNJM2o8nMR04c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8nmI0Z6GpJ669OoqTL4ZRS5HBzAE6mZbx+jGtxyj3s4=; b=CrgO/bSUT7b8ks5pTUTI3TMfrcsZWZXNWR4cxmk4dqn6SVIwraFW5sonMgLUnpH3DL xlLHVrY1m0samsLkWDsKB2VXqF8tujVJognyF/Vit/XAsNWLQLiv0NLoczlTmE7FL5sD VQ/M3HVEmBziSuljk6jQU1pvQNpuU6YBukd8ZzB8PsbYZm9564F5PkXfOA7TvQUuZLVh /S+KGtvtBUZja0Bocc+cLeiFGWNoXX86Tzvn7xGjfRrJAkx4vZOtoBpWG95pE6VgNA+j /DU7qXAEEoMyiQnCHiqI2VPcZaGWVOTxTpkmD1h5AmhX4yfSumOAlHm4hpe8hzcHZ4R7 Sk7Q== X-Gm-Message-State: AOAM533D1QTG0aX2hoATXvZOY9odO92tYhdJhpTCkVtuMzm8X8ybdJYg PxfM7RvSAEMOQ7yWzgNRupJ1gc4qVRUmaj41obEaRg== X-Received: by 2002:a5d:84c5:: with SMTP id z5mr5722665ior.33.1619827802465; Fri, 30 Apr 2021 17:10:02 -0700 (PDT) MIME-Version: 1.0 References: <20210430204939.5152-1-sargun@sargun.me> <20210430204939.5152-3-sargun@sargun.me> In-Reply-To: From: Sargun Dhillon Date: Fri, 30 Apr 2021 17:09:26 -0700 Message-ID: Subject: Re: [PATCH v2 2/5] seccomp: Add wait_killable semantic to seccomp user notifier To: Andy Lutomirski Cc: Kees Cook , LKML , Linux Containers , =?UTF-8?Q?Mauricio_V=C3=A1squez_Bernal?= , Rodrigo Campos , Tycho Andersen , Giuseppe Scrivano , Christian Brauner Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 30, 2021 at 4:23 PM Andy Lutomirski wrote: > > On Fri, Apr 30, 2021 at 1:49 PM Sargun Dhillon wrote: > > > > The user notifier feature allows for filtering of seccomp notifications in > > userspace. While the user notifier is handling the syscall, the notifying > > process can be preempted, thus ending the notification. This has become a > > growing problem, as Golang has adopted signal based async preemption[1]. In > > this, it will preempt every 10ms, thus leaving the supervisor less than > > 10ms to respond to a given notification. If the syscall require I/O (mount, > > connect) on behalf of the process, it can easily take 10ms. > > > > This allows the supervisor to set a flag that moves the process into a > > state where it is only killable by terminating signals as opposed to all > > signals. The process can still be terminated before the supervisor receives > > the notification. > > This is still racy, right? If a signal arrives after the syscall > enters the seccomp code but before the supervisor gets around to > issuing the new ioctl, the syscall will erroneously return -EINTR, > right? > > Can we please just fully fix this instead of piling a racy partial fix > on top of an incorrect design? > > --Andy I thought that you were fine with this approach. Sorry. Maybe this is a dumb question, what's wrong with returning an EINTR if the syscall was never observed by the supervisor? I think that the only other reasonable design is that we add data to the existing action which makes it sleep in wait_killable state.