[PATCH v2 0/3] Add seccomp notifier ioctl that enables adding fds

From: Sargun Dhillon
Date: Thu May 28 2020 - 07:09:25 EST

Next message: Sargun Dhillon: "[PATCH v2 1/3] seccomp: Add find_notification helper"
Previous message: Colin King: "[PATCH][next] IB/hfi1: fix spelling mistake "enought" -> "enough""
Next in thread: Sargun Dhillon: "[PATCH v2 1/3] seccomp: Add find_notification helper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This adds the capability for seccomp notifier listeners to add file
descriptors in response to a seccomp notification. This is useful for
syscalls in which the previous capabilities were not sufficient. The
current mechanism works well for syscalls that either have side effects
that are system / namespace wide (mount), or that operate on a specific
set of registers (reboot, mknod), and don't require dereferencing pointers.
The problem with derefencing pointers in a supervisor is that it leaves
us vulnerable to TOC-TOU [1] style attacks. For syscalls that had a direct
effect on file descriptors pidfd_getfd was added, allowing for those file
descriptors to be directly operated upon by the supervisor [2].

Unfortunately, this leaves system calls which return file descriptors
out of the picture. These are fairly common syscalls, such as openat,
socket, and perf_event_open that return file descriptors, and have
arguments that are pointers. These require that the supervisor is able to
verify the arguments, make the call on behalf of the process on hand,
and pass back the resulting file descriptor. This is where addfd comes
into play.

There is an additional flag that allows you to "set" an FD, rather than
add it with an arbitrary number. This has dup2 style semantics, and
installs the new file at that file descriptor, and atomically closes
the old one if it existed. This is useful for a particular use case
that we have, in which we want to swap out AF_INET sockets for AF_UNIX,
AF_INET6, and sockets in another namespace when doing "upconversion".

My specific usecase at Netflix is to enable our IPv4-IPv6 transition
mechanism, in which we our namespaces have no real IPv4 reachability,
and when it comes time to do a connect(2), we get a socket from a
namespace with global IPv4 reachability.

In addition, we intend to use it for our servicemesh, and where our
service mesh needs to intercept traffic ingress traffic, the addfd
capability will act as a mechanism to do socket activation.

Google Chrome has a use case has a use case related to sandboxing.
They use SECCOMP_RET_TRAP to capture filesystem related syscalls in
their sandbox, which returns the FDs via SCM_RIGHTS. Unfortunately,
this does not work when signals are disabled, which is becoming the
default in glibc library functions. They need to switch to an
alternative before this becomes the default in Linux distros, and
they need a mechanism to addfd to move forward.

Addfd is not implemented as a separate syscall, a la pidfd_getfd, as
VFS makes some optimizations in regards to the fdtable, and assumes
that they are not modified by external processes. Although a mechanism
that scheduled something in the context of the task could work, it is
somewhat simpler to do it in the context of the ioctl as we control
the task while in kernel. In addition there are not obvious needs
for this beyond seccomp notifier.

This mechanism leaves a potential issue that if the manager is
interrupted while injecting FDs, the child process will be left with
leaked / dangling FDs. This may lead to undefined behaviour. A
mechanism to work around this is to extend the structure and add a
"rollback" mechanism for FDs to be closed if things fail.

Changes since v1:
* find_notification has been cleaned up slightly, and it replaces a use
case in send as well.
* Fixes ref counting rules to get / release references in the ioctl side,
rather than the seccomp notifier side [3].
* Removes the optional move flag, and opts into SCM_RIGHTS
* Rearranges the seccomp_notif_addfd datastructure for greater user
clarity [4]. In order to avoid unnamed padding it makes size u64,
which is a little bit of a waste of space.
* Changes error codes to return ESRCH upon the process going away on
notification, and EINPROGRESS is the notification is in an unexpected
state (and added tests for this behaviour)

[1]: https://lore.kernel.org/lkml/20190918084833.9369-2-christian.brauner@xxxxxxxxxx/
[2]: https://lore.kernel.org/lkml/20200107175927.4558-1-sargun@xxxxxxxxx/
[3]: https://lore.kernel.org/lkml/20200525000537.GB23230@xxxxxxxxxxxxxxxxxx/
[4]: 20200525135036.vp2nmmx42y7dfznf@wittgenstein/">https://lore.kernel.org/lkml/20200525135036.vp2nmmx42y7dfznf@wittgenstein/

Sargun Dhillon (3):
seccomp: Add find_notification helper
seccomp: Introduce addfd ioctl to seccomp user notifier
selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD

include/uapi/linux/seccomp.h | 25 ++
kernel/seccomp.c | 231 ++++++++++++++++--
tools/testing/selftests/seccomp/seccomp_bpf.c | 180 ++++++++++++++
3 files changed, 410 insertions(+), 26 deletions(-)

--
2.25.1

Next message: Sargun Dhillon: "[PATCH v2 1/3] seccomp: Add find_notification helper"
Previous message: Colin King: "[PATCH][next] IB/hfi1: fix spelling mistake "enought" -> "enough""
Next in thread: Sargun Dhillon: "[PATCH v2 1/3] seccomp: Add find_notification helper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]