Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2628311rdb; Wed, 4 Oct 2023 07:03:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGOSbsTQVe0wEKzJlx4cykhyRfwYLKI+h1P99pd6+F7uXDtfpmJvp6Rh44zIB24Ju7AbMG6 X-Received: by 2002:a17:90a:e7c3:b0:277:4002:f5ca with SMTP id kb3-20020a17090ae7c300b002774002f5camr2183842pjb.9.1696428228097; Wed, 04 Oct 2023 07:03:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696428228; cv=none; d=google.com; s=arc-20160816; b=cxl3rhFfs1QV3HZKWys3kdx4q8YJal6jYCLpDFyxMvyEdGyGdGXHsVZzqgX16OcuBP XdS1Nn0GBIkLygbqZMfmTNa5mZha0BIQ5W32HnEYV4tMVOJjKQlp9mTu4v3DYZ1gdtV8 EGF//8Y3AtCZ1qhUNOv+uSiLEOJia/pylFwq/2hO6Nbr+rxc438yJKuOY39DAVXktcrs hr0JfAy2MnujNkh3ZVWcGBumRYe1UTyvVFvZT+86fJNyRw2Z0ZJEMewf+UqW2UmpzcBl nI/aLa7MwT0JcJda2p5M4T9o4neK4O/RnhEE6tJvZ31pEvEnX+clfigbZEKtMGKt/TcL qWfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id; bh=QPkVgKO6ACNpeP0Kj/u/eXYcXdHK1j8vWDVSh7Pa9YE=; fh=/N6xZX0KF6QMZKReeCsBRAzC/BqZrYatQLbSEas5PU0=; b=UkXJ8aREO7/mUKzPUKYiRmglg6B2/V1dyZqLARiC0JzRJyhbgDDi5oqv6hD/he4F2w VxUkM6wEZWZ5Drh4Y7D2tO3KKztraWOSVkggiMTzE7Eu/mQt+Z1bt9CqGrDrLWLrj+M3 yQ6DrH3p5wGvDS2dgPHXkK32b72ob8M4Rao2zYnvrsmIFUUm1AeK25BHiLE4ZkJZuiO5 eM7IvtDfx4otgvQBOVyatWC8bgQ62+HBniOlOycvLEFE7Q4rU/+nHlaHJKWMzM7LwS6f V3I9Qgop/3bSFkBzq5CE7e+TvTy2uEH9mTogKcBf2rMdgtwKIfVgZqxC0Pv5KFviXT/S JrTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id f31-20020a17090a702200b0027762924984si1533815pjk.183.2023.10.04.07.03.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 07:03:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 30A6D81BB19E; Wed, 4 Oct 2023 07:03:45 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242733AbjJDODf (ORCPT + 99 others); Wed, 4 Oct 2023 10:03:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242696AbjJDODe (ORCPT ); Wed, 4 Oct 2023 10:03:34 -0400 Received: from alerce.blitiri.com.ar (alerce.blitiri.com.ar [IPv6:2001:bc8:228b:9000::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11FBCAB for ; Wed, 4 Oct 2023 07:03:29 -0700 (PDT) Received: from [IPV6:2a02:8109:aa40:4e0:b5c6:9671:3477:8fde] by sdfg.com.ar (chasquid) with ESMTPSA tls TLS_AES_128_GCM_SHA256 (over submission+TLS, TLS-1.3, envelope from "rodrigo@sdfg.com.ar") ; Wed, 04 Oct 2023 14:03:25 +0000 Message-ID: <14c52402-ebc8-4425-9871-1663a87182ef@sdfg.com.ar> Date: Wed, 4 Oct 2023 16:03:24 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH 0/2] seccomp: Split set filter into two steps To: Hengqi Chen , linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, Alban Crequy References: <20231003083836.100706-1-hengqi.chen@gmail.com> Content-Language: en-US From: Rodrigo Campos In-Reply-To: <20231003083836.100706-1-hengqi.chen@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 04 Oct 2023 07:03:45 -0700 (PDT) On 10/3/23 10:38, Hengqi Chen wrote: > This patchset introduces two new operations which essentially > splits the SECCOMP_SET_MODE_FILTER process into two steps: > SECCOMP_LOAD_FILTER and SECCOMP_ATTACH_FILTER. > > The SECCOMP_LOAD_FILTER loads the filter and returns a fd > which can be pinned to bpffs. This extends the lifetime of the > filter and thus can be reused by different processes. A quick question to see if handling something else too is possible/reasonable to do here too. Let me explain our use case first. For us (Alban in cc) it would be great if we can extend the lifetime of the fd returned, so the process managing a seccomp notification in userspace can easly crash or be updated. Today, if the agent that got the fd crashes, all the "notify-syscalls" return ENOSYS in the target process. Our use case is we created a seccomp agent to use in Kubernetes (github.com/kinvolk/seccompagent) and we need to handle either the agent crashing or upgrading it. We were thinking tricks to have another container that just stores fds and make sure that never crashes, but it is not ideal (we checked tricks to use systemd to store our fds, but it is not simpler either to use from containers). If the agent crashes today, all the syscalls return ENOSYS. It will be great if we can make the process doing the syscall just wait until a new process to handle the notifications is up and the syscalls done in the meantime are just queued. A mode of saying "if the agent crashes, just queue notifications, one agent to pick them up will come back soon" (we can of course limit reasonably the notification queue). It seems the split here would not just work for that use case. I think we would need to pin the attachment. Do you think handling that is something reasonable to do in this series too? I'll be afk until end next week. I'll catch up as soon as I'm back with internet :) Best, Rodrigo