Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1362631rbb; Mon, 26 Feb 2024 07:05:42 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWsUaYGY4XBwMNUhrMOTiCAraas1Sxaf+QtWFRktMnRopO6+jWnPCaCnl30u9CbC6JU1HaU35STYtcEq0hTJeBuLFC83qAjJ04pQOhxGQ== X-Google-Smtp-Source: AGHT+IGWdSUopSME/dAGhA//O65nzXV7yF1HP05d7lMB2ECHbRNTxnr6wHzGBkGqM1s+lPvH/6/w X-Received: by 2002:a17:90a:4b08:b0:29a:6b1d:4d32 with SMTP id g8-20020a17090a4b0800b0029a6b1d4d32mr5734844pjh.38.1708959942014; Mon, 26 Feb 2024 07:05:42 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708959942; cv=pass; d=google.com; s=arc-20160816; b=HwSAOCj4lvBDoONoWdtSP6ptuUng3mc0scj0vqrftUifmROtSP2a11ZEfoeijXezEk YDoakM0ybBejK7mowwZlJzvaWIKZsuP7F8jx/6dsqABl1OKcWMeknj7Fkzkh3d/tlMza RIY5HZKaJ0qTW/PXn6wDmlLJrk7OdH0fBG60Ppn6U1tCJ/6pHmlG1VH9qNOdjuanY82N QMhJGpK3Iavh7sug2j2MHufXkCQBJtO5cQ/qTyJjMKA6euwKE59Jm8w127cxx9HII9Qv as9CgDOlJgMHUlSlHtlwVSUyD0L8wb+cfI1Km3pCPKFsE723162mcGiG6v59AAekTyWt ZnMQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:references:message-id:subject:cc:to:from:date; bh=DgIaO/PEeF16KsciRmCvM/lKb6jI0i8Mz4kxvaSckNI=; fh=yMXcEa3g6ezBU927nl+SzpHsoiJtE3b1g+dFhooxHsY=; b=lJfkVpD9WnnKS0jE+hAE0JuvcZiWW6RBJxKP5YoHEW6OuAmaw2b4NCuO4//5IxHvbZ yVYLWm+EtfJEIuwrkKCG7qGhZ1vziE/NoP39ZkgBB4UWf/cBiRI+E5kuAZ2MMs9fRzP6 jJqzXlxGkLHhatqwVt2u8SiRm2PZWIDF5pdSPU7Bzd0kYQ6oIwA8QX++NqJj42F1kyFx Txljl8QK6IkGspvoC1ildf2cKpjOlE0Ez7g3/2R/R+AH1c4ISlWzuYirlcILXTxH58qs jcyAUGfjiw1waYDeznTTKbHnEBZXjsM9zLOpjpsxNb1znDQl8+F5GfaA+cAvTNHyvB1V R9Xg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=aerifal.cx); spf=pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id g3-20020a17090a578300b002994211c0c2si5730976pji.81.2024.02.26.07.05.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Feb 2024 07:05:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=aerifal.cx); spf=pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 476C7B223F4 for ; Mon, 26 Feb 2024 14:34:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1BE7B12C53E; Mon, 26 Feb 2024 14:33:08 +0000 (UTC) Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [104.156.224.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 986D7129A85 for ; Mon, 26 Feb 2024 14:33:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=104.156.224.86 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708957987; cv=none; b=YZQlFovBmjKdPNtpZLtMcM/gjhcN8/xO/GWULnSq/94ra9frjy/JuxHFFG+vOwAYpa4QPtsN8bdtbgCZ3xgCSdjR1wCxojgpr4ha0dutCJTH2A1FXpnZOKlUnYcPbTJeuAbJIeE9DESbC5nuX4qZQeGL+6zs2xaq9GM/LxC6Qd0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708957987; c=relaxed/simple; bh=8lBjv3w8DA/De0xjG4YAOs58xFeChbpwlxvyyaVDuRE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=S408kMnFGL5ft411yWA6W2D/NFcIagaxkv3C9TN29I8i+do4w1W08TQrWpR29GtU1UtBQqCieCd+LZI5BXvVjjB0i/kNsBizqcOQVxKUWDu72vBDKLgeh4b8V86vKwcCb2QQOOe2yRdxpRezkL9B3pcjqp83oUE882TV2bYWsHU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=aerifal.cx; spf=pass smtp.mailfrom=aerifal.cx; arc=none smtp.client-ip=104.156.224.86 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=aerifal.cx Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aerifal.cx Date: Mon, 26 Feb 2024 09:33:16 -0500 From: Rich Felker To: Christian Brauner Cc: Xi Ruoyao , Arnd Bergmann , Icenowy Zheng , Huacai Chen , WANG Xuerui , Adhemerval Zanella , linux-api@vger.kernel.org, Kees Cook , Xuefeng Li , Jianmin Lv , Xiaotian Wu , WANG Rui , Miao Wang , "loongarch@lists.linux.dev" , Linux-Arch , Linux Kernel Mailing List Subject: Re: Chromium sandbox on LoongArch and statx -- seccomp deep argument inspection again? Message-ID: <20240226143315.GA22081@brightrain.aerifal.cx> References: <599df4a3-47a4-49be-9c81-8e21ea1f988a@xen0n.name> <24c47463f9b469bdc03e415d953d1ca926d83680.camel@xry111.site> <61c5b883762ba4f7fc5a89f539dcd6c8b13d8622.camel@icenowy.me> <3c396b7c-adec-4762-9584-5824f310bf7b@app.fastmail.com> <6f7a8e320f3c2bd5e9b704bb8d1f311714cd8644.camel@xry111.site> <6bf460d17b9f44326497ffb41e03363b112d6927.camel@xry111.site> <20240226-siegen-desolat-49d1e20ba2cd@brauner> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240226-siegen-desolat-49d1e20ba2cd@brauner> User-Agent: Mutt/1.5.21 (2010-09-15) On Mon, Feb 26, 2024 at 01:57:55PM +0100, Christian Brauner wrote: > On Mon, Feb 26, 2024 at 07:57:56PM +0800, Xi Ruoyao wrote: > > On Mon, 2024-02-26 at 10:20 +0100, Arnd Bergmann wrote: > > > > /* snip */ > > > > > > > > > Or maybe we can just introduce a new AT_something to make statx > > > > completely ignore pathname but behave like AT_EMPTY_PATH + "". > > I'm not at all convinced about doing custom semantics for this. I did not follow the entirety of this thread. I've been aware for a while that the need to use AT_EMPTY_PATH (on archs that don't have old syscalls) is a performance problem in addition to being a sandboxing problem, because the semantics for it were defined to use the string argument if present, thereby requiring the kernel to perform an additional string read from user memory. Unfortunately, I don't see any good fix. Even if we could add AT_STATX_NO_PATH/AT_STATX_NULL_PATH, libc would not be using it, because using them would incur EINVAL-then-fallback on kernels that don't support it. In regards to the Chromium sandbox, I think Chromium is just wrong here. Blocking statx is not safe (it also does not work on 32-bit archs -- it breaks time64 support! and riscv32 doesn't even have legacy stat either, just like loongarch64), and there is really no serious security risk from being able to stat arbitrary pathnames. Maybe it's annoying from a theoretical purity standpoint that you can't block that, but from a practical standpoint it doesn't really matter. I'd like to see a solution to this, but all the possible ones look bad. And it's all a consequence of poor consideration of how AT_EMPTY_PATH should work when it was first invented/added. >_< > > > I think this is better than going back to fstat64_time64(), but > > > it's still not great because > > > > > > - all the reserved flags on statx() are by definition incompatible > > >   with existing kernels that return -EINVAL for any flag they do > > >   not recognize. > > > > Oops, we are deeming passing undefined flags in "mask" undefined > > behavior but not "flags", thus "wild software" may be relying on EINVAL > > for invalid flags... We *might* make this new AT_xxx a bit in mask > > instead of flags but it would be very dirty IMO. > > Uhm, no. AT_* flags have nothing to do in statx()'s mask argument at all. They definitely cannot go in mask; that's semantically wrong. Rich