Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier

From: Kees Cook
Date: Sat May 30 2020 - 12:07:31 EST

On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
> > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > move the put_user() after instead? I think cleanup would just be:
> > replace_fd(fd, NULL, 0)
> Bollocks.
> Repeat after me: descriptor tables can be shared. There is no
> "cleanup" after you've put something there.

Right -- this is what I was trying to ask about, and why I didn't like
the idea of just leaving the fd in the table on failure. But yeah, there
is a race if the process is about to fork or something.

So the choice here is how to handle the put_user() failure:

- add the put_user() address to the new helper, as I suggest in [1].
(exactly duplicates current behavior)
- just leave the fd in place (not current behavior: dumps a fd into
the process without "agreed" notification).
- do a double put_user (once before and once after), also in [1].
(sort of a best-effort combo of the above two. and SCM_RIGHTS is
hardly fast-pth).


[1] 202005282345.573B917@keescook/">

Kees Cook