Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier
From: Kees Cook
Date: Mon Jun 01 2020 - 15:59:40 EST
On Mon, Jun 01, 2020 at 12:02:10PM -0700, Sargun Dhillon wrote:
> On Sat, May 30, 2020 at 9:07 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> >
> > On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> > > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
> > >
> > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > > > move the put_user() after instead? I think cleanup would just be:
> > > > replace_fd(fd, NULL, 0)
> > >
> > > Bollocks.
> > >
> > > Repeat after me: descriptor tables can be shared. There is no
> > > "cleanup" after you've put something there.
> >
> > Right -- this is what I was trying to ask about, and why I didn't like
> > the idea of just leaving the fd in the table on failure. But yeah, there
> > is a race if the process is about to fork or something.
> >
> > So the choice here is how to handle the put_user() failure:
> >
> > - add the put_user() address to the new helper, as I suggest in [1].
> > (exactly duplicates current behavior)
> > - just leave the fd in place (not current behavior: dumps a fd into
> > the process without "agreed" notification).
> > - do a double put_user (once before and once after), also in [1].
> > (sort of a best-effort combo of the above two. and SCM_RIGHTS is
> > hardly fast-pth).
> >
> > -Kees
> >
> > [1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/
> >
> > --
> > Kees Cook
>
> I'm going to suggest we stick to the approach of doing[1]:
> 1. Allocate FD
> 2. put_user
> 3. "Receive" and install file into FD
>
> That is the only way to preserve the current behaviour in which userspace
> is notified about *every* FD that is received via SCM_RIGHTS. The
> scm_detach_fds code as it reads today does effectively what is above,
> in that the fd is not installed until *after* the put user. Therefore
> if put_user
> gets an EFAULT or ENOMEM, it falls through to the MSG_CTRUNC bit.
>
> The approach suggested[2] has a "change" in behaviour, in that (all in
> file_receive):
> 1. Allocate FD
> 2. Receive file
> 3. put_user
>
> Based on what Al Viro said, I don't think we can simply add step #4,
> being "just" uninstall the FD.
>
> [1]: https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg2179418.html
> [2]: https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg2179453.html
Agreed. Thanks!
--
Kees Cook