Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier

From: Sargun Dhillon
Date: Mon Jun 01 2020 - 15:02:52 EST

On Sat, May 30, 2020 at 9:07 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
> >
> > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > > move the put_user() after instead? I think cleanup would just be:
> > > replace_fd(fd, NULL, 0)
> >
> > Bollocks.
> >
> > Repeat after me: descriptor tables can be shared. There is no
> > "cleanup" after you've put something there.
> Right -- this is what I was trying to ask about, and why I didn't like
> the idea of just leaving the fd in the table on failure. But yeah, there
> is a race if the process is about to fork or something.
> So the choice here is how to handle the put_user() failure:
> - add the put_user() address to the new helper, as I suggest in [1].
> (exactly duplicates current behavior)
> - just leave the fd in place (not current behavior: dumps a fd into
> the process without "agreed" notification).
> - do a double put_user (once before and once after), also in [1].
> (sort of a best-effort combo of the above two. and SCM_RIGHTS is
> hardly fast-pth).
> -Kees
> [1]
> --
> Kees Cook

I'm going to suggest we stick to the approach of doing[1]:
1. Allocate FD
2. put_user
3. "Receive" and install file into FD

That is the only way to preserve the current behaviour in which userspace
is notified about *every* FD that is received via SCM_RIGHTS. The
scm_detach_fds code as it reads today does effectively what is above,
in that the fd is not installed until *after* the put user. Therefore
if put_user
gets an EFAULT or ENOMEM, it falls through to the MSG_CTRUNC bit.

The approach suggested[2] has a "change" in behaviour, in that (all in
1. Allocate FD
2. Receive file
3. put_user

Based on what Al Viro said, I don't think we can simply add step #4,
being "just" uninstall the FD.