[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200616051218.GA16032@ircssh-2.c.rugged-nimbus-611.internal>
Date: Tue, 16 Jun 2020 05:12:19 +0000
From: Sargun Dhillon <sargun@...gun.me>
To: Jann Horn <jannh@...gle.com>
Cc: Kees Cook <keescook@...omium.org>,
kernel list <linux-kernel@...r.kernel.org>,
Tycho Andersen <tycho@...ho.ws>,
Aleksa Sarai <cyphar@...har.com>,
Christian Brauner <christian.brauner@...ntu.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [RFC PATCH] seccomp: Add extensibility mechanism to read
notifications
On Mon, Jun 15, 2020 at 11:36:22AM +0200, Jann Horn wrote:
> On Sat, Jun 13, 2020 at 9:26 AM Sargun Dhillon <sargun@...gun.me> wrote:
> > This introduces an extensibility mechanism to receive seccomp
> > notifications. It uses read(2), as opposed to using an ioctl. The listener
> > must be first configured to write the notification via the
> > SECCOMP_IOCTL_NOTIF_CONFIG ioctl with the fields that the user is
> > interested in.
> >
> > This is different than the old SECCOMP_IOCTL_NOTIF_RECV method as it allows
> > for more flexibility. It allows the user to opt into certain fields, and
> > not others. This is nice for users who want to opt into some fields like
> > thread group leader. In the future, this mechanism can be used to expose
> > file descriptors to users,
>
> Please don't touch the caller's file descriptor table from read/write
> handlers, only from ioctl handlers. A process should always be able to
> read from files supplied by an untrusted user without having to worry
> about new entries mysteriously popping up in its fd table.
>
Acknowledged.
Is something like:
ioctl(listener, SECCOMP_GET_MEMORY, notification_id);
reasonable in your opinion?
> > such as a representation of the process's
> > memory. It also has good forwards and backwards compatibility guarantees.
> > Users with programs compiled against newer headers will work fine on older
> > kernels as long as they don't opt into any sizes, or optional fields that
> > are only available on newer kernels.
> >
> > The ioctl method relies on an extensible struct[1]. This extensible struct
> > is slightly misleading[2] as the ioctl number changes when we extend it.
> > This breaks backwards compatibility with older kernels even if we're not
> > asking for any fields that we do not need. In order to deal with this, the
> > ioctl number would need to be dynamic, or the user would need to pass the
> > size they're expecting, and we would need to implemented "extended syscall"
> > semantics in ioctl. This potentially causes issue to future work of
> > kernel-assisted copying for ioctl user buffers.
>
> I don't see the issue. Can't you replace "switch (cmd)" with "switch
> (cmd & ~IOCSIZE_MASK)" and then check the size separately?
It depends:
1. If we rely purely on definitions in ioctl.h, and the user they've pulled
in a newer header file, on an older kernel, it will fail. This is because
the size is bigger, and we don't actually know if they're interested in
those new values
2. We can define new seccomp IOCTL versions, and expose these to the user.
This has some niceness to it, in that there's a simple backwards compatibiity
story. This is a little unorthodox though.
3. We do something like embed the version / size that someone is interested
in in the struct, and the ioctl reads it in order to determine which version
of the fields to populate. This is effectively what the read approach does
with more steps.
There's no reason we can't do #3. Just a complexity tradeoff.
Powered by blists - more mailing lists