[PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier
Kees Cook
keescook at chromium.org
Sat May 30 16:07:16 UTC 2020
On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
>
> > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > move the put_user() after instead? I think cleanup would just be:
> > replace_fd(fd, NULL, 0)
>
> Bollocks.
>
> Repeat after me: descriptor tables can be shared. There is no
> "cleanup" after you've put something there.
Right -- this is what I was trying to ask about, and why I didn't like
the idea of just leaving the fd in the table on failure. But yeah, there
is a race if the process is about to fork or something.
So the choice here is how to handle the put_user() failure:
- add the put_user() address to the new helper, as I suggest in [1].
(exactly duplicates current behavior)
- just leave the fd in place (not current behavior: dumps a fd into
the process without "agreed" notification).
- do a double put_user (once before and once after), also in [1].
(sort of a best-effort combo of the above two. and SCM_RIGHTS is
hardly fast-pth).
-Kees
[1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/
--
Kees Cook
More information about the Containers
mailing list