Re: [RFC PATCH 1/3] seccomp: add SECCOMP_IOCTL_NOTIF_PIN_ARGS to close the unotify TOCTOU race

Next message: Roberto Sassu: "Re: [PATCH v5 09/13] ima: Add support for staging measurements with prompt"
Previous message: Mark Brown: "Re: [PATCH v2 2/2] regulator: add SGM3804 Dual Output driver"
In reply to: Cong Wang: "[RFC PATCH 1/3] seccomp: add SECCOMP_IOCTL_NOTIF_PIN_ARGS to close the unotify TOCTOU race"
Next in thread: Cong Wang: "Re: [RFC PATCH 1/3] seccomp: add SECCOMP_IOCTL_NOTIF_PIN_ARGS to close the unotify TOCTOU race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Brauner

Date: Mon May 04 2026 - 08:51:53 EST

On Sun, 03 May 2026 18:12:05 -0700, Cong Wang <xiyou.wangcong@xxxxxxxxx> wrote:
> diff --git a/fs/namei.c b/fs/namei.c
> index c7fac83c9a85..ee86f4c91cae 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -222,6 +223,24 @@ do_getname(const char __user *filename, int flags, bool incomplete)
> [ ... skip 15 lines ... ]
> + pin = seccomp_pin_lookup_current((u64)(uintptr_t)filename);
> + if (pin && pin->kind == SECCOMP_PIN_CSTRING) {
> + if (pin->size <= 1 && !(flags & LOOKUP_EMPTY))
> + return ERR_PTR(-ENOENT);
> + return getname_kernel(pin->data);
> + }

Sorry, no. That's just not acceptable at all. We're not spraying
"continue from snapshotted state" across the vfs and the kernel in
general. This is just screaming for security issues. Anything that wants
to do something remotely like this needs to come as generic abstraction
where the syscall layer itself doesn't have to care at all about this.
There are just so many corners where you run into issues with this.

--
Christian Brauner <brauner@xxxxxxxxxx>