Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp2176918rdb; Tue, 20 Feb 2024 22:10:48 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCV2lkoE7YDfn7so85cyDxm9Z/Mu9JrDPYLSUwobuCm50h6NupimOjj1VlLlQvLPtEP5t/ChtS6aE4jKTzdyTGnMOOvdt752jDeKvS+S+w== X-Google-Smtp-Source: AGHT+IH+H5KGtO7VIxs/JlJgy3bXAFh89wAQhgmYd0iF/31N1itQVVa7rZJ1dcTEFxtr4Xd6d7PX X-Received: by 2002:a17:902:e746:b0:1d9:a15:615d with SMTP id p6-20020a170902e74600b001d90a15615dmr25848224plf.1.1708495847774; Tue, 20 Feb 2024 22:10:47 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708495847; cv=pass; d=google.com; s=arc-20160816; b=jryjHAte7dZd81QkOtoUKjZlRQXvcdv+dpyXX3wrizajw6yrrbvxv7G+VgNM4oqoO3 gq1+95BeC7IRMavC0MKG2VDmXt2uaVof3SxCEjlr4zxsSmmzGRkhPRAwvtiYMk0htLRi zw0Fluc/OVB9Up//s4+c82NydmpFV1uVScudARcA5LryYp1qNv3YsXCPHxL1bFUmkNH9 HOZi7+TUbfZn2zwo5tSy+p9UKiF3y8n6SrgJTZ0iv+bvFp1DR8JpXIzNZYo4uZhyxGKn jwn08x8ouC19g+llKmgdDpqRpniTcb/r/05MLtMiYH+V962gGNJmESSqAo+YBwFWTJgZ LIuA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:to:content-language:cc:subject:from :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id:dkim-signature; bh=5rX7sgFHUj3uKZC/7jfvsbJOmXH2ANVIA8RBW3AYhkk=; fh=kAJPrDGNp8/CPCXO0I9aanGaGHmsGJsRV9ArVwpYLYc=; b=HmreD6nwaXp3dAJfMcJOb16BkzB9gvhObXfq2A0cTAf1O7abwET2b842BaPT8/BZAX ps2Kxr3n+fJYfR3ZgrrJHNecetLEiaaFUEOTHg9hsfMQwflgfD190izpYTvq7MufT7CY SsYq1j4jtiHutNR219BXNtWBZwu1OkaNuK3QZIqhb7myFdC3vTz0/sGQMW4rCBY2SODu R/Oa61jro8hkPx01jpf9ulaa2ZiPEvgZkddOar3gL4+TiXIm1ebobuUKoMfs4YONEYU2 jzD7zSL9HEe3F6TlWuXmWStHs7De0OTNNcFFQ5f1Wx1lFCE7LKtK5y24z0UU7P/rMIdD QT4Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@xen0n.name header.s=mail header.b=kVdlN9Zu; arc=pass (i=1 spf=pass spfdomain=xen0n.name dkim=pass dkdomain=xen0n.name); spf=pass (google.com: domain of linux-kernel+bounces-74126-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-74126-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id mc3-20020a1709032b0300b001db7180225esi7609129plb.574.2024.02.20.22.10.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Feb 2024 22:10:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-74126-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@xen0n.name header.s=mail header.b=kVdlN9Zu; arc=pass (i=1 spf=pass spfdomain=xen0n.name dkim=pass dkdomain=xen0n.name); spf=pass (google.com: domain of linux-kernel+bounces-74126-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-74126-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AEA3C28673D for ; Wed, 21 Feb 2024 06:10:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E6D9339FFC; Wed, 21 Feb 2024 06:10:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=xen0n.name header.i=@xen0n.name header.b="kVdlN9Zu" Received: from mailbox.box.xen0n.name (mail.xen0n.name [115.28.160.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46DD739FCC; Wed, 21 Feb 2024 06:10:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.28.160.31 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708495811; cv=none; b=C5c0wmnnIuOPyVnR6Ywz2cKlad2ssX9sUnEYPqEYql4BneKisLN72pAXCNrVRVnlC2WbimVVcqEr1N3ZygESuTzbP2CqSlrK78PxSVEIpSOeIy1DEWXcrMlmDnUyAJchEWNcoH2WcsbGxggF8pjvSH42L0T/php3AqsihpznkUk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708495811; c=relaxed/simple; bh=XmxTxuBUd9bgDZbvvAv4A9s2A785jmsYFz56RLFl97A=; h=Message-ID:Date:MIME-Version:From:Subject:Cc:To:Content-Type; b=iy7XzS1E9Kx53rTa92+2nIMzotuNgvo8jG227jQylTLtg46HrqOl3wy0ANdlpixYWDvPmJ9UWl1h9fn/SNDhLoRc8QUN5P7LGnxn9Tp64w+azecEM3fsRDnXFoceOQePCnolBUpJX7KdmOcR/sXg8dHQyQZue6+hKcNIwTAK+1Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=xen0n.name; spf=pass smtp.mailfrom=xen0n.name; dkim=pass (1024-bit key) header.d=xen0n.name header.i=@xen0n.name header.b=kVdlN9Zu; arc=none smtp.client-ip=115.28.160.31 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=xen0n.name Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=xen0n.name DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xen0n.name; s=mail; t=1708495800; bh=XmxTxuBUd9bgDZbvvAv4A9s2A785jmsYFz56RLFl97A=; h=Date:From:Subject:Cc:To:From; b=kVdlN9ZuAQzFRahzf/zHop19IBrMMspDOw4JQJCYvj50AH7aSNfic2qr1ItfIWonE ig5UFgdZjQ/Ng2tXL3cLvUGG5ZUo2eO5+hBX+yxYx3M30GeqzS75fZcmuaMe1tDJiQ gEkLKrX7UzVqG6hP4zznt4WFoBYZxH6BpEYjqxyA= Received: from [IPV6:240e:388:8d00:6500:8954:615d:4577:1f21] (unknown [IPv6:240e:388:8d00:6500:8954:615d:4577:1f21]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailbox.box.xen0n.name (Postfix) with ESMTPSA id A96D160094; Wed, 21 Feb 2024 14:09:59 +0800 (CST) Message-ID: <599df4a3-47a4-49be-9c81-8e21ea1f988a@xen0n.name> Date: Wed, 21 Feb 2024 14:09:59 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: WANG Xuerui Subject: Chromium sandbox on LoongArch and statx -- seccomp deep argument inspection again? Cc: Arnd Bergmann , Christian Brauner , Kees Cook , Huacai Chen , Xuefeng Li , Jianmin Lv , Xiaotian Wu , WANG Rui , Miao Wang , Icenowy Zheng , "loongarch@lists.linux.dev" , linux-arch , Linux Kernel Mailing List Content-Language: en-US To: linux-api@vger.kernel.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi, Recently, we -- community LoongArch porters -- have noticed a problem where the Chromium sandbox apparently wants to deny statx [^1] so it could properly inspect arguments after the sandboxed process later falls back to fstat. The reasoning behind the change was not clear in the patch; but we found out it's basically because there's currently not a "fd-only" version of statx, so that the sandbox has no way to ensure the path argument is empty without being able to peek into the sandboxed process's memory. For architectures able to do newfstatat though, the glibc falls back to newfstatat after getting -ENOSYS for statx, then the respective SIGSYS handler [^2] takes care of inspecting the path argument, transforming allowed newfstatat's into fstat instead which is allowed and has the same type of return value. But, as loongarch is the first architecture to not have fstat nor newfstatat, the LoongArch glibc does not attempt falling back at all when it gets -ENOSYS for statx -- and you see the problem there! Actually, back when the loongarch port was under review, people were aware of the same problem with sandboxing clone3 [^3], so clone was eventually kept. Unfortunately it seemed at that time no one had noticed statx, so besides restoring fstat/newfstatat to loongarch uapi (and postponing the problem further), it seems inevitable that we would need to tackle seccomp deep argument inspection; this is obviously a decision that shouldn't be taken lightly, so I'm posting this to restart the conversation to figure out a way forward together. We basically could do one of below: - just restore fstat and be done with it; - add a flag to statx so we can do the equivalent of just fstat(fd, &out) with statx, and ensuring an error happens if path is not empty in that case; - tackle the long-standing problem of seccomp deep argument inspection (!). Obviously, the simplest solution would be to "just restore fstat". But again, in my opinion this is not quite a solution but a workaround -- we have good reasons to keep just statx (mainly because its feature set is a strict superset of those of fstat/newfstatat), and we're not quite in a hurry to resolve this. Because one of the prerequisites for a new Chromium port is "inclusion in Debian stable" -- as the loong64 port [^4] is progressing and the next Debian release would not happen until 2025, we still have time for a more "elegant" solution. Alternatively, we could also introduce a new flag for statx, maybe named AT_STATX_NO_PATH or something like that, so that statx would ignore the path altogether or error on non-empty paths if called with flags containing AT_EMPTY_PATH | AT_STATX_NO_PATH. This way a seccomp policy could allow statx calls only with such flags (that are passed via register and accessible) and maintain the same level of safety as with fstat. But there is also disadvantage to this approach: the flag would be useful only for sandboxes, because in other cases there's no need to avoid reading from &path. This is also more of a workaround to avoid the deep argument inspection problem. Lastly, should we decide to go the hardest way, according to a previous mail [^5] (about clone3) and the LPC 2019 discussion [^6] [^7], we probably would try the metadata-annotation-based and piece-by-piece approach, as it's expected to provide the most benefit and involve less code changes. The implementation, as I surmise, will involve modifying the generic syscall entrypoint for early copying of user data, and corresponding changes to seccomp plumbing so this information is properly exposed. I don't have a roadmap for non-generic-entry arches right now, and I also haven't started designing the new seccomp ABI for that. As a matter of fact, members of the LoongArch community (myself included) are still fresh to this area of expertise, so a bit more of your feedback will be appreciated. Thanks to Miao Wang from AOSC for doing much of the investigation. [^1]: https://chromium-review.googlesource.com/c/chromium/src/+/2823150 [^2]: https://chromium.googlesource.com/chromium/src/sandbox/+/c085b51940bd/linux/seccomp-bpf-helpers/sigsys_handlers.cc#355 [^3]: https://lore.kernel.org/linux-arch/20220511211231.GG7074@brightrain.aerifal.cx/ [^4]: https://wiki.debian.org/Ports/loong64 [^5]: https://lwn.net/ml/linux-kernel/201905301122.88FD40B3@keescook/ [^6]: https://lwn.net/Articles/799557/ [^7]: https://lpc.events/event/4/contributions/560/attachments/397/640/deep-arg-inspection.pdf -- WANG "xen0n" Xuerui Linux/LoongArch mailing list:https://lore.kernel.org/loongarch/