| Message ID | 1443636820-17083-5-git-send-email-tycho.andersen@canonical.com |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen <tycho.andersen@canonical.com> wrote: > This command allows comparing the underling private data of two fds. This > is useful e.g. to find out if a seccomp filter is inherited, since struct > seccomp_filter are unique across tasks and are the private_data seccomp > fds. This is very implementation-specific and may have nasty ABI consequences far outside seccomp. Let's do something specific to seccomp and/or eBPF. --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote: > On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen > <tycho.andersen@canonical.com> wrote: > > This command allows comparing the underling private data of two fds. This > > is useful e.g. to find out if a seccomp filter is inherited, since struct > > seccomp_filter are unique across tasks and are the private_data seccomp > > fds. > > This is very implementation-specific and may have nasty ABI > consequences far outside seccomp. Let's do something specific to > seccomp and/or eBPF. We could change the name to a less generic KCMP_SECCOMP_FD or something, but without some sort of GUID on each struct seccomp_filter, the implementation would be effectively the same as it is today. Is that enough, or do we need a GUID? Tycho -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Sep 30, 2015 at 11:41 AM, Tycho Andersen <tycho.andersen@canonical.com> wrote: > On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote: >> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen >> <tycho.andersen@canonical.com> wrote: >> > This command allows comparing the underling private data of two fds. This >> > is useful e.g. to find out if a seccomp filter is inherited, since struct >> > seccomp_filter are unique across tasks and are the private_data seccomp >> > fds. >> >> This is very implementation-specific and may have nasty ABI >> consequences far outside seccomp. Let's do something specific to >> seccomp and/or eBPF. > > We could change the name to a less generic KCMP_SECCOMP_FD or > something, but without some sort of GUID on each struct > seccomp_filter, the implementation would be effectively the same as it > is today. Is that enough, or do we need a GUID? > I don't care about the GUID. I think we should name it KCMP_SECCOMP_FD and make it only work on seccomp fds. Alternatively, we could figure out why KCMP_FILE doesn't do the trick and consider fixing it. IMO it's really too bad that struct file is so heavyweight that we can't really just embed one in all kinds of structures. --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Sep 30, 2015 at 11:47:05AM -0700, Andy Lutomirski wrote: > On Wed, Sep 30, 2015 at 11:41 AM, Tycho Andersen > <tycho.andersen@canonical.com> wrote: > > On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote: > >> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen > >> <tycho.andersen@canonical.com> wrote: > >> > This command allows comparing the underling private data of two fds. This > >> > is useful e.g. to find out if a seccomp filter is inherited, since struct > >> > seccomp_filter are unique across tasks and are the private_data seccomp > >> > fds. > >> > >> This is very implementation-specific and may have nasty ABI > >> consequences far outside seccomp. Let's do something specific to > >> seccomp and/or eBPF. > > > > We could change the name to a less generic KCMP_SECCOMP_FD or > > something, but without some sort of GUID on each struct > > seccomp_filter, the implementation would be effectively the same as it > > is today. Is that enough, or do we need a GUID? > > > > I don't care about the GUID. I think we should name it > KCMP_SECCOMP_FD and make it only work on seccomp fds. Ok, I can do that. > Alternatively, we could figure out why KCMP_FILE doesn't do the trick > and consider fixing it. IMO it's really too bad that struct file is > so heavyweight that we can't really just embed one in all kinds of > structures. The problem is that KCMP_FILE compares the file objects themselves, instead of the underlying data. If I ask for a seccomp fd for filter 0 twice, I'll have two different file objects and they won't be equal. I suppose we could add some special logic inside KCMP_FILE to compare the underlying data in special cases (seccomp, ebpf, others?), but it seems cleaner to have a separate command as you described above. Tycho -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Sep 30, 2015 at 11:55 AM, Tycho Andersen <tycho.andersen@canonical.com> wrote: > On Wed, Sep 30, 2015 at 11:47:05AM -0700, Andy Lutomirski wrote: >> On Wed, Sep 30, 2015 at 11:41 AM, Tycho Andersen >> <tycho.andersen@canonical.com> wrote: >> > On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote: >> >> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen >> >> <tycho.andersen@canonical.com> wrote: >> >> > This command allows comparing the underling private data of two fds. This >> >> > is useful e.g. to find out if a seccomp filter is inherited, since struct >> >> > seccomp_filter are unique across tasks and are the private_data seccomp >> >> > fds. >> >> >> >> This is very implementation-specific and may have nasty ABI >> >> consequences far outside seccomp. Let's do something specific to >> >> seccomp and/or eBPF. >> > >> > We could change the name to a less generic KCMP_SECCOMP_FD or >> > something, but without some sort of GUID on each struct >> > seccomp_filter, the implementation would be effectively the same as it >> > is today. Is that enough, or do we need a GUID? >> > >> >> I don't care about the GUID. I think we should name it >> KCMP_SECCOMP_FD and make it only work on seccomp fds. > > Ok, I can do that. > >> Alternatively, we could figure out why KCMP_FILE doesn't do the trick >> and consider fixing it. IMO it's really too bad that struct file is >> so heavyweight that we can't really just embed one in all kinds of >> structures. > > The problem is that KCMP_FILE compares the file objects themselves, > instead of the underlying data. If I ask for a seccomp fd for filter 0 > twice, I'll have two different file objects and they won't be equal. I > suppose we could add some special logic inside KCMP_FILE to compare > the underlying data in special cases (seccomp, ebpf, others?), but it > seems cleaner to have a separate command as you described above. > What I meant was that maybe we could get the two requests to actually produce the same struct file. But that could get very messy memory-wise. --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/uapi/linux/kcmp.h b/include/uapi/linux/kcmp.h index 84df14b..ed389d2 100644 --- a/include/uapi/linux/kcmp.h +++ b/include/uapi/linux/kcmp.h @@ -10,6 +10,7 @@ enum kcmp_type { KCMP_SIGHAND, KCMP_IO, KCMP_SYSVSEM, + KCMP_FILE_PRIVATE_DATA, KCMP_TYPES, }; diff --git a/kernel/kcmp.c b/kernel/kcmp.c index 0aa69ea..9ae673b 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -165,6 +165,20 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, ret = -EOPNOTSUPP; #endif break; + case KCMP_FILE_PRIVATE_DATA: { + struct file *filp1, *filp2; + + filp1 = get_file_raw_ptr(task1, idx1); + filp2 = get_file_raw_ptr(task2, idx2); + + if (filp1 && filp2) + ret = kcmp_ptr(filp1->private_data, + filp2->private_data, + KCMP_FILE_PRIVATE_DATA); + else + ret = -EBADF; + break; + } default: ret = -EINVAL; break;
This command allows comparing the underling private data of two fds. This is useful e.g. to find out if a seccomp filter is inherited, since struct seccomp_filter are unique across tasks and are the private_data seccomp fds. Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Kees Cook <keescook@chromium.org> CC: Will Drewry <wad@chromium.org> CC: Oleg Nesterov <oleg@redhat.com> CC: Andy Lutomirski <luto@amacapital.net> CC: Pavel Emelyanov <xemul@parallels.com> CC: Serge E. Hallyn <serge.hallyn@ubuntu.com> CC: Alexei Starovoitov <ast@kernel.org> CC: Daniel Borkmann <daniel@iogearbox.net> --- include/uapi/linux/kcmp.h | 1 + kernel/kcmp.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+)