Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2628311rdb;
        Wed, 4 Oct 2023 07:03:48 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGOSbsTQVe0wEKzJlx4cykhyRfwYLKI+h1P99pd6+F7uXDtfpmJvp6Rh44zIB24Ju7AbMG6
X-Received: by 2002:a17:90a:e7c3:b0:277:4002:f5ca with SMTP id kb3-20020a17090ae7c300b002774002f5camr2183842pjb.9.1696428228097;
        Wed, 04 Oct 2023 07:03:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696428228; cv=none;
        d=google.com; s=arc-20160816;
        b=cxl3rhFfs1QV3HZKWys3kdx4q8YJal6jYCLpDFyxMvyEdGyGdGXHsVZzqgX16OcuBP
         XdS1Nn0GBIkLygbqZMfmTNa5mZha0BIQ5W32HnEYV4tMVOJjKQlp9mTu4v3DYZ1gdtV8
         EGF//8Y3AtCZ1qhUNOv+uSiLEOJia/pylFwq/2hO6Nbr+rxc438yJKuOY39DAVXktcrs
         hr0JfAy2MnujNkh3ZVWcGBumRYe1UTyvVFvZT+86fJNyRw2Z0ZJEMewf+UqW2UmpzcBl
         nI/aLa7MwT0JcJda2p5M4T9o4neK4O/RnhEE6tJvZ31pEvEnX+clfigbZEKtMGKt/TcL
         qWfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:cc:to:subject:user-agent:mime-version
         :date:message-id;
        bh=QPkVgKO6ACNpeP0Kj/u/eXYcXdHK1j8vWDVSh7Pa9YE=;
        fh=/N6xZX0KF6QMZKReeCsBRAzC/BqZrYatQLbSEas5PU0=;
        b=UkXJ8aREO7/mUKzPUKYiRmglg6B2/V1dyZqLARiC0JzRJyhbgDDi5oqv6hD/he4F2w
         VxUkM6wEZWZ5Drh4Y7D2tO3KKztraWOSVkggiMTzE7Eu/mQt+Z1bt9CqGrDrLWLrj+M3
         yQ6DrH3p5wGvDS2dgPHXkK32b72ob8M4Rao2zYnvrsmIFUUm1AeK25BHiLE4ZkJZuiO5
         eM7IvtDfx4otgvQBOVyatWC8bgQ62+HBniOlOycvLEFE7Q4rU/+nHlaHJKWMzM7LwS6f
         V3I9Qgop/3bSFkBzq5CE7e+TvTy2uEH9mTogKcBf2rMdgtwKIfVgZqxC0Pv5KFviXT/S
         JrTA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id f31-20020a17090a702200b0027762924984si1533815pjk.183.2023.10.04.07.03.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Oct 2023 07:03:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 30A6D81BB19E;
	Wed,  4 Oct 2023 07:03:45 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242733AbjJDODf (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Wed, 4 Oct 2023 10:03:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33486 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242696AbjJDODe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Oct 2023 10:03:34 -0400
Received: from alerce.blitiri.com.ar (alerce.blitiri.com.ar [IPv6:2001:bc8:228b:9000::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11FBCAB
        for <linux-kernel@vger.kernel.org>; Wed,  4 Oct 2023 07:03:29 -0700 (PDT)
Received: from [IPV6:2a02:8109:aa40:4e0:b5c6:9671:3477:8fde]
        by sdfg.com.ar (chasquid) with ESMTPSA
        tls TLS_AES_128_GCM_SHA256
        (over submission+TLS, TLS-1.3, envelope from "rodrigo@sdfg.com.ar")
        ; Wed, 04 Oct 2023 14:03:25 +0000
Message-ID: <14c52402-ebc8-4425-9871-1663a87182ef@sdfg.com.ar>
Date:   Wed, 4 Oct 2023 16:03:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [RFC PATCH 0/2] seccomp: Split set filter into two steps
To:     Hengqi Chen <hengqi.chen@gmail.com>, linux-kernel@vger.kernel.org,
        bpf@vger.kernel.org
Cc:     keescook@chromium.org, luto@amacapital.net, wad@chromium.org,
        alexyonghe@tencent.com,
        Alban Crequy <albancrequy@linux.microsoft.com>
References: <20231003083836.100706-1-hengqi.chen@gmail.com>
Content-Language: en-US
From:   Rodrigo Campos <rodrigo@sdfg.com.ar>
In-Reply-To: <20231003083836.100706-1-hengqi.chen@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 04 Oct 2023 07:03:45 -0700 (PDT)

On 10/3/23 10:38, Hengqi Chen wrote:
> This patchset introduces two new operations which essentially
> splits the SECCOMP_SET_MODE_FILTER process into two steps:
> SECCOMP_LOAD_FILTER and SECCOMP_ATTACH_FILTER.
> 
> The SECCOMP_LOAD_FILTER loads the filter and returns a fd
> which can be pinned to bpffs. This extends the lifetime of the
> filter and thus can be reused by different processes.

A quick question to see if handling something else too is 
possible/reasonable to do here too.

Let me explain our use case first.

For us (Alban in cc) it would be great if we can extend the lifetime of 
the fd returned, so the process managing a seccomp notification in 
userspace can easly crash or be updated. Today, if the agent that got 
the fd crashes, all the "notify-syscalls" return ENOSYS in the target 
process.

Our use case is we created a seccomp agent to use in Kubernetes 
(github.com/kinvolk/seccompagent) and we need to handle either the agent 
crashing or upgrading it. We were thinking tricks to have another 
container that just stores fds and make sure that never crashes, but it 
is not ideal (we checked tricks to use systemd to store our fds, but it 
is not simpler either to use from containers).

If the agent crashes today, all the syscalls return ENOSYS. It will be 
great if we can make the process doing the syscall just wait until a new 
process to handle the notifications is up and the syscalls done in the 
meantime are just queued. A mode of saying "if the agent crashes, just 
queue notifications, one agent to pick them up will come back soon" (we 
can of course limit reasonably the notification queue).

It seems the split here would not just work for that use case. I think 
we would need to pin the attachment.

Do you think handling that is something reasonable to do in this series too?

I'll be afk until end next week. I'll catch up as soon as I'm back with 
internet :)



Best,
Rodrigo