Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier

[Giuseppe Scrivano]

Sargun Dhillon <sargun@xxxxxxxxx> writes:

> This adds a seccomp notifier ioctl which allows for the listener to "add"
> file descriptors to a process which originated a seccomp user
> notification. This allows calls like mount, and mknod to be "implemented",
> as the return value, and the arguments are data in memory. On the other
> hand, calls like connect can be "implemented" using pidfd_getfd.
>
> Unfortunately, there are calls which return file descriptors, like
> open, which are vulnerable to TOC-TOU attacks, and require that the
> more privileged supervisor can inspect the argument, and perform the
> syscall on behalf of the process generating the notifiation. This
> allows the file descriptor generated from that open call to be
> returned to the calling process.
>
> In addition, there is funcitonality to allow for replacement of
> specific file descriptors, following dup2-like semantics.
>
> Signed-off-by: Sargun Dhillon <sargun@xxxxxxxxx>
> Suggested-by: Matt Denton <mpdenton@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxx>,
> Cc: Jann Horn <jannh@xxxxxxxxxx>,
> Cc: Robert Sesek <rsesek@xxxxxxxxxx>,
> Cc: Chris Palmer <palmer@xxxxxxxxxx>
> Cc: Christian Brauner <christian.brauner@xxxxxxxxxx>
> Cc: Tycho Andersen <tycho@xxxxxxxx>
> ---

Thanks, this is a really useful feature.

Tested-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>