Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5555827pxb; Mon, 14 Feb 2022 01:48:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzkuPmhqyb03Fd8WfDuZKfrjUeyfT6kEPIccB5A8YBYvqC2jTW37aruhzjiYilpooEFd0i X-Received: by 2002:a63:6c88:: with SMTP id h130mr11086755pgc.357.1644832096092; Mon, 14 Feb 2022 01:48:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644832096; cv=none; d=google.com; s=arc-20160816; b=aPQIEbGYf04WJMb7e3leiNqOMhn+Dkkuz2TrAD7xwbxtR9olws0PZwqSA2GWIreZVL 6ct3LkE4Fw5hZyu1v+BgV+6XXSjJLOiGgc+8WatOg/QylmUHXGULEH1uP6l80+UH6sK+ 8oE6R9EAGVkrNRA1siJUIMludZTT9CC0gOgz8/Ifv/q9VveKu0AiXGJpgy0oT7dYBPID M4s8jfusjBWCyNd52SpTb5nyHBDllihgu3UzedZ5v526QyHCcsIwbcQEqZZv40c5Xbbx 3bHXBM9IRw1KYcliQGgZZHhTggZSwby5JHmDo1XL8YWX/w0EXQWyM+ABUHBX2FFrpVyn zvTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=6ARFSsbWyOdD6EMO2DQy2Ws/csG1j53wTkmfHHdDFXY=; b=HHb5x/tNQqZNBHk42X8w3R/RTdGyRkkCT77qpyD1voNVTyCI3byvP6/QFKFMX68QK0 47kSqmoEBXUZEuqUxuO9VwOoeZW4rTkMxS6VsYtTZYt2iJ1TNcNCkb90mVHPo8Hd1OO/ yy4V9Vs1BmYi6cH15EyvYzWlqB7pTJfFM5MZwMqTXYGVzKi/sVnkM6k/kXBMpUqhh9sv SS0DB3YpU8jpDXqWzrM6yJG/uAC8h6VhUjUt16y9UUMRpe+AJYf3bgbk7+1sIRCXSP8R ti5+SE167JOQJWWAEqw3eLagqjYLwBxcsrPMPb+eNe7fML3dK+xvn3+zJpCi8jE+mjqg 7Exw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@swiecki.net header.s=google header.b=Jkshpjqe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s15si693756plr.466.2022.02.14.01.48.04; Mon, 14 Feb 2022 01:48:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@swiecki.net header.s=google header.b=Jkshpjqe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241606AbiBKMym (ORCPT + 93 others); Fri, 11 Feb 2022 07:54:42 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:56632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244509AbiBKMyi (ORCPT ); Fri, 11 Feb 2022 07:54:38 -0500 Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5EEBE5E for ; Fri, 11 Feb 2022 04:54:37 -0800 (PST) Received: by mail-oo1-xc2a.google.com with SMTP id p190-20020a4a2fc7000000b0031820de484aso10123015oop.9 for ; Fri, 11 Feb 2022 04:54:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swiecki.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ARFSsbWyOdD6EMO2DQy2Ws/csG1j53wTkmfHHdDFXY=; b=Jkshpjqe1FTAHoJawiFQhz9yzN0NpI9FvO/qjTRn08FgZgcQ5HA+Ush/Ai2Vyzbdn+ rCSlVh4dWpG6MiPoiRYhkDDaZTqOQOUJUnKkO71u8+Gg4+x25NOgSS5214ix2N2FyxH6 qFYkARezeP6Oy8q3v726X20mHNEIXMs36eI/o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ARFSsbWyOdD6EMO2DQy2Ws/csG1j53wTkmfHHdDFXY=; b=fSJYUzc+2ED8J3f3pHzFNOQTSrGVVLLH0o0IStvwSn0pO7TmzWKjcKwDL58ICV1362 TvYVTbZAMj/zIMyvdjGOO9AMUDQNKsBXYENgL1AatJzH647wWGe5ovwJMUsUEvkTbsG+ QuIIuALvrKRE+kljn5pvDRRkZnEAEJ81knGRMAxpAu9xDn/tKK6X+AqEW68PQyvaKkpK +8XBBE2j27EL/9lVmSWZ0btMoa6/CoAaPQv2CswZfFREk9DjxSRmKZpMyKlLwQpn3Dpm Y8EBkXPpbNXlbDBRpfNQi1MXrzIH4j+QuR6//8JNzY3zBVT4SFN8rpnCogNDPS/VPnw5 2Zmg== X-Gm-Message-State: AOAM531C4izpK5LCym6eHEXpaFhFbnCsN60a2fgzsE0EEUpnFxIwuYuH cSewte/WzZwzrUTKpIxtOkvU7YPxl8aMZovWjp/8YA== X-Received: by 2002:a05:6870:8c13:: with SMTP id ec19mr71565oab.262.1644584077154; Fri, 11 Feb 2022 04:54:37 -0800 (PST) MIME-Version: 1.0 References: <20220210025321.787113-1-keescook@chromium.org> <871r0a8u29.fsf@email.froward.int.ebiederm.org> <202202101033.9C04563D9@keescook> <87pmnu5z28.fsf@email.froward.int.ebiederm.org> <202202101137.B48D02138@keescook> <87k0e249tt.fsf@email.froward.int.ebiederm.org> <202202101710.668EDCDC@keescook> <875ypm41kb.fsf@email.froward.int.ebiederm.org> <202202101827.4B16DF54@keescook> In-Reply-To: <202202101827.4B16DF54@keescook> From: =?UTF-8?B?Um9iZXJ0IMWad2nEmWNraQ==?= Date: Fri, 11 Feb 2022 13:54:26 +0100 Message-ID: Subject: Re: [PATCH 0/3] signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE To: Kees Cook Cc: "Eric W. Biederman" , Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > It's mainly about the exit stuff having never been run before on these > kinds of process states, so things don't make sense. For example, on the > SIGSYS death, the registers have been rewound for the coredump, so when > the exit trace runs on x86 it sees the syscall return value as equal to > the syscall number (since %rax is used for the syscall number on entry > and for the syscall result on exit). So when a tracer watches a seccomp > fatal SIGSYS, it sees the syscall exit before it sees the child exit > (and therefore the signal). For example, x86_64 write (syscall number > 1), will return as if it had written 1 byte. :P > > So, it's not harmful, but it's confusing and weird. :) > > > I am trying to figure out if there is a case to be made that it was a > > bug that these events were missing. > > I don't think so -- the syscall did not finish, so there isn't a valid > return code. The process exited before it completed. A tangential point: please ignore for the purpose of fixing the problem at hand. I'm mostly making it, in case it can be taken into account in case some bigger changes to this code path are to be made - given that it touches the problem of signal delivery. When I noticed this problem, I was looking for a way to figure out what syscall caused SIGSYS (via SECCOMP_RET_KILL_*), and there's no easy way to do that programmatically from the perspective of a parent process. There are three ways of doing this that come to mind. 1). Keep reference to /proc//syscall and read it upon process exiting by SIGSYS (and reading it with wait/id(WNOWAIT) from parent). This used to work a long time ago, but was racy (I reported this problem many years ago), and currently only -1 0 0 is returned (as in, no syscall in progress). 2). Use ptrace - it works but it changes the logic of the signal delivery inside a traced process and requires non-trivial code to make it work correctly: use of PT_INTERRUPT, understanding all signal delivery events, registers and their mapping to syscall arguments per CPU arch. 3). auditd will print details of failed syscall to kmsg, but the string is not very structured, and auditd might not be always present inside kernels. And reading that data via netlink requires root IIRC. I think it'd be good to have some way of doing it from the perspective of a parent process - it'd simplify development of sandboxing managers (eg nsjail, minijail, firejail), and creation of good seccomp policies.