Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1362631rbb;
        Mon, 26 Feb 2024 07:05:42 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCWsUaYGY4XBwMNUhrMOTiCAraas1Sxaf+QtWFRktMnRopO6+jWnPCaCnl30u9CbC6JU1HaU35STYtcEq0hTJeBuLFC83qAjJ04pQOhxGQ==
X-Google-Smtp-Source: AGHT+IGWdSUopSME/dAGhA//O65nzXV7yF1HP05d7lMB2ECHbRNTxnr6wHzGBkGqM1s+lPvH/6/w
X-Received: by 2002:a17:90a:4b08:b0:29a:6b1d:4d32 with SMTP id g8-20020a17090a4b0800b0029a6b1d4d32mr5734844pjh.38.1708959942014;
        Mon, 26 Feb 2024 07:05:42 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708959942; cv=pass;
        d=google.com; s=arc-20160816;
        b=HwSAOCj4lvBDoONoWdtSP6ptuUng3mc0scj0vqrftUifmROtSP2a11ZEfoeijXezEk
         YDoakM0ybBejK7mowwZlJzvaWIKZsuP7F8jx/6dsqABl1OKcWMeknj7Fkzkh3d/tlMza
         RIY5HZKaJ0qTW/PXn6wDmlLJrk7OdH0fBG60Ppn6U1tCJ/6pHmlG1VH9qNOdjuanY82N
         QMhJGpK3Iavh7sug2j2MHufXkCQBJtO5cQ/qTyJjMKA6euwKE59Jm8w127cxx9HII9Qv
         as9CgDOlJgMHUlSlHtlwVSUyD0L8wb+cfI1Km3pCPKFsE723162mcGiG6v59AAekTyWt
         ZnMQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:references:message-id:subject:cc:to:from:date;
        bh=DgIaO/PEeF16KsciRmCvM/lKb6jI0i8Mz4kxvaSckNI=;
        fh=yMXcEa3g6ezBU927nl+SzpHsoiJtE3b1g+dFhooxHsY=;
        b=lJfkVpD9WnnKS0jE+hAE0JuvcZiWW6RBJxKP5YoHEW6OuAmaw2b4NCuO4//5IxHvbZ
         yVYLWm+EtfJEIuwrkKCG7qGhZ1vziE/NoP39ZkgBB4UWf/cBiRI+E5kuAZ2MMs9fRzP6
         jJqzXlxGkLHhatqwVt2u8SiRm2PZWIDF5pdSPU7Bzd0kYQ6oIwA8QX++NqJj42F1kyFx
         Txljl8QK6IkGspvoC1ildf2cKpjOlE0Ez7g3/2R/R+AH1c4ISlWzuYirlcILXTxH58qs
         jcyAUGfjiw1waYDeznTTKbHnEBZXjsM9zLOpjpsxNb1znDQl8+F5GfaA+cAvTNHyvB1V
         R9Xg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aerifal.cx);
       spf=pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id g3-20020a17090a578300b002994211c0c2si5730976pji.81.2024.02.26.07.05.41
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 26 Feb 2024 07:05:42 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=aerifal.cx);
       spf=pass (google.com: domain of linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-81638-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 476C7B223F4
	for <linux.lists.archive@gmail.com>; Mon, 26 Feb 2024 14:34:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1BE7B12C53E;
	Mon, 26 Feb 2024 14:33:08 +0000 (UTC)
Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [104.156.224.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 986D7129A85
	for <linux-kernel@vger.kernel.org>; Mon, 26 Feb 2024 14:33:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=104.156.224.86
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708957987; cv=none; b=YZQlFovBmjKdPNtpZLtMcM/gjhcN8/xO/GWULnSq/94ra9frjy/JuxHFFG+vOwAYpa4QPtsN8bdtbgCZ3xgCSdjR1wCxojgpr4ha0dutCJTH2A1FXpnZOKlUnYcPbTJeuAbJIeE9DESbC5nuX4qZQeGL+6zs2xaq9GM/LxC6Qd0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708957987; c=relaxed/simple;
	bh=8lBjv3w8DA/De0xjG4YAOs58xFeChbpwlxvyyaVDuRE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=S408kMnFGL5ft411yWA6W2D/NFcIagaxkv3C9TN29I8i+do4w1W08TQrWpR29GtU1UtBQqCieCd+LZI5BXvVjjB0i/kNsBizqcOQVxKUWDu72vBDKLgeh4b8V86vKwcCb2QQOOe2yRdxpRezkL9B3pcjqp83oUE882TV2bYWsHU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=aerifal.cx; spf=pass smtp.mailfrom=aerifal.cx; arc=none smtp.client-ip=104.156.224.86
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=aerifal.cx
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aerifal.cx
Date: Mon, 26 Feb 2024 09:33:16 -0500
From: Rich Felker <dalias@aerifal.cx>
To: Christian Brauner <brauner@kernel.org>
Cc: Xi Ruoyao <xry111@xry111.site>, Arnd Bergmann <arnd@arndb.de>,
	Icenowy Zheng <uwu@icenowy.me>, Huacai Chen <chenhuacai@kernel.org>,
	WANG Xuerui <kernel@xen0n.name>,
	Adhemerval Zanella <adhemerval.zanella@linaro.org>,
	linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
	Xuefeng Li <lixuefeng@loongson.cn>,
	Jianmin Lv <lvjianmin@loongson.cn>,
	Xiaotian Wu <wuxiaotian@loongson.cn>,
	WANG Rui <wangrui@loongson.cn>,
	Miao Wang <shankerwangmiao@gmail.com>,
	"loongarch@lists.linux.dev" <loongarch@lists.linux.dev>,
	Linux-Arch <linux-arch@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Chromium sandbox on LoongArch and statx -- seccomp deep argument
 inspection again?
Message-ID: <20240226143315.GA22081@brightrain.aerifal.cx>
References: <599df4a3-47a4-49be-9c81-8e21ea1f988a@xen0n.name>
 <CAAhV-H4oW70y-2ZSp=b-Ed3A7Jrxfg6xvO8YpjED6To=PF0NwA@mail.gmail.com>
 <f063e65df92228cac6e57b0c21de6b750cf47e42.camel@icenowy.me>
 <24c47463f9b469bdc03e415d953d1ca926d83680.camel@xry111.site>
 <61c5b883762ba4f7fc5a89f539dcd6c8b13d8622.camel@icenowy.me>
 <3c396b7c-adec-4762-9584-5824f310bf7b@app.fastmail.com>
 <6f7a8e320f3c2bd5e9b704bb8d1f311714cd8644.camel@xry111.site>
 <b9fb0de1-bfb9-47a6-9730-325e7641c182@app.fastmail.com>
 <6bf460d17b9f44326497ffb41e03363b112d6927.camel@xry111.site>
 <20240226-siegen-desolat-49d1e20ba2cd@brauner>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20240226-siegen-desolat-49d1e20ba2cd@brauner>
User-Agent: Mutt/1.5.21 (2010-09-15)

On Mon, Feb 26, 2024 at 01:57:55PM +0100, Christian Brauner wrote:
> On Mon, Feb 26, 2024 at 07:57:56PM +0800, Xi Ruoyao wrote:
> > On Mon, 2024-02-26 at 10:20 +0100, Arnd Bergmann wrote:
> > 
> > /* snip */
> > 
> > > 
> > > > Or maybe we can just introduce a new AT_something to make statx
> > > > completely ignore pathname but behave like AT_EMPTY_PATH + "".
> 
> I'm not at all convinced about doing custom semantics for this.

I did not follow the entirety of this thread. I've been aware for a
while that the need to use AT_EMPTY_PATH (on archs that don't have old
syscalls) is a performance problem in addition to being a sandboxing
problem, because the semantics for it were defined to use the string
argument if present, thereby requiring the kernel to perform an
additional string read from user memory.

Unfortunately, I don't see any good fix. Even if we could add
AT_STATX_NO_PATH/AT_STATX_NULL_PATH, libc would not be using it,
because using them would incur EINVAL-then-fallback on kernels that
don't support it.

In regards to the Chromium sandbox, I think Chromium is just wrong
here. Blocking statx is not safe (it also does not work on 32-bit
archs -- it breaks time64 support! and riscv32 doesn't even have
legacy stat either, just like loongarch64), and there is really no
serious security risk from being able to stat arbitrary pathnames.
Maybe it's annoying from a theoretical purity standpoint that you
can't block that, but from a practical standpoint it doesn't really
matter.

I'd like to see a solution to this, but all the possible ones look
bad. And it's all a consequence of poor consideration of how
AT_EMPTY_PATH should work when it was first invented/added. >_<

> > > I think this is better than going back to fstat64_time64(), but
> > > it's still not great because
> > > 
> > > - all the reserved flags on statx() are by definition incompatible
> > >   with existing kernels that return -EINVAL for any flag they do
> > >   not recognize.
> > 
> > Oops, we are deeming passing undefined flags in "mask" undefined
> > behavior but not "flags", thus "wild software" may be relying on EINVAL
> > for invalid flags...  We *might* make this new AT_xxx a bit in mask
> > instead of flags but it would be very dirty IMO.
> 
> Uhm, no. AT_* flags have nothing to do in statx()'s mask argument at all.

They definitely cannot go in mask; that's semantically wrong.

Rich