[PATCH v2 0/5] Handle seccomp notification preemption
sargun at sargun.me
Fri Apr 30 20:49:34 UTC 2021
This patchset addresses a race condition we've dealt with recently with
seccomp. Specifically programs interrupting syscalls while they're in
progress. This was exacerbated by Golang's recent adoption of "async
preemption", in which they try to interrupt any syscall that's been
running for more than 10ms during GC. During certain syscalls, it's
non-trivial to write them in a reetrant manner in userspace (mount).
This has a couple semantic changes, and relaxes a check on seccomp_data, and
changes the semantics with ordering of how addfd and notification replies
in the supervisor are handled.
I'm resending after rebasing and testing on v5.12. It turns out this change
also fixed a bug Rodrigo found that could occur with addfd around certain
It also follows up on the original proposal from Tycho to allow
for adding an FD and returning that value atomically.
Changes since v1:
* Change from a flag, to an ioctl that explicitly sets the killable
state after reading the notification.
* Adds some more tests to make sure that fatal signals are handled.
Changes since RFC:
* Fix some documentation
* Add Rata's patches to allow for direct return from addfd
Rodrigo Campos (2):
seccomp: Support atomic "addfd + send reply"
selftests/seccomp: Add test for atomic addfd+send
Sargun Dhillon (3):
seccomp: Refactor notification handler to prepare for new semantics
seccomp: Add wait_killable semantic to seccomp user notifier
selftests/seccomp: Add test for wait killable notifier
.../userspace-api/seccomp_filter.rst | 22 +-
include/uapi/linux/seccomp.h | 3 +
kernel/seccomp.c | 146 ++++++++++++--
tools/testing/selftests/seccomp/seccomp_bpf.c | 190 ++++++++++++++++++
4 files changed, 335 insertions(+), 26 deletions(-)
More information about the Containers