From nobody Fri Dec 19 04:59:01 2025 Received: from mail-io1-f74.google.com (mail-io1-f74.google.com [209.85.166.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C98118029 for ; Fri, 28 Jun 2024 02:10:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540620; cv=none; b=iY3s6xTwtg6B88HF9aagDp/nin01S2C+oeO86nG+lk9OzDnwSYpFq6n3hGSPaXh59guqUTlcFtTMv7UyBjL7+r3GW1Y/hbUeJ7j4FHErUIsbkH9haAnrdczaxXkhbTXZAkw0gu8LauBDNaMCYCT6X553nU9ixIOAwqMc2Df8cvA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540620; c=relaxed/simple; bh=6yiGXrB5WtL9mRt6YBmtrD9asCT50HPAQlO2zgkhSto=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=O07ZZs+BHIDUnGvQUFn31958uMslTmOvbWeq++ibPHr9rv8mC1P4yRJgmWRbs9gZbQqtaFnyCDfCAUti8IYyBTQZycxIXlBFhOXFUoskiEq9UKtBRCbcGJbjpBcMaIVvo9dHBVHDvNEMd5yxK5HNI1AgGAaZ0g6oiP4IcsOSyjg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=jotAnsj2; arc=none smtp.client-ip=209.85.166.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="jotAnsj2" Received: by mail-io1-f74.google.com with SMTP id ca18e2360f4ac-7ebd2481a89so11076439f.2 for ; Thu, 27 Jun 2024 19:10:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719540618; x=1720145418; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=FVleDmTKwwvHatuvVD4VDvqXq7pEzrykFrYLhY8PmD4=; b=jotAnsj2baUncnsjNINZN96vbggCy0tJern2x2cYITbU/cGau3CiokiKlzcA/TmIAN 9Wh9W9dsv/Dkm8cQ2m4EpCO5EayBzaWAFoH36k+xq5mwV+IiXY6TvfMqjsSaCLEHfU5y m2TrkHt04qkc2JUWsyfZwgaG7PO29z4Tyduy8BTx2BN0E1MRgQls7gnlVdsh1wvt1CWH FOCsUoXXc5zcy6B/o62A40RQhBCvLzCwr5bwk2GvnLFzzBeHrcQvCVeMes12zw9iARxh WHZUw2UK7VUu7FCAJ7Q7i00kd/jccoimRwCrhXEFuyd7dNAM1qdfhk3X1+uOnAc+zaRz 9Viw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719540618; x=1720145418; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FVleDmTKwwvHatuvVD4VDvqXq7pEzrykFrYLhY8PmD4=; b=aV1SpG4WZfEdXZymYuD8D0dVRc/hvOSpb5h/UP/oy86EMnRKcu+3Z8HGTvcFzjFuOU xbS60D+YmQUM2+kIa4/dO+zyK/RxlEHRy0F557a+jwrR6RtIfKGRC+WEYWyXU6rGpwko V/jBjqyEkSvs/b9Msu7g6gvXNMCH7mXUawFFAvMn0Xk4RuALGNdV82Ze1T8g7mrguCVL QI1sQOBMW3ZvXKXxQ/aHSqLD8YqOQS/96uO5/90SpoG/lYTX8EqbfRCwDeqvSvdGGa3O WeSr665Z9Q0+aTz3/nDnWd9vDu3X0NdXmot/FHjFj1PkEN+PzXkpKOGhs27xzu+Y5Wja 6VOw== X-Gm-Message-State: AOJu0YwN6XBGY4ci2D2u48trz1NUcJ4zaCCpe952oXMAWBSB5EIskvZf d4c0XG3jai7Cgf1R8G/q2DgfVSz+A7yy/CoKbyaGB64melE7rOet+w0JQ11Kxn6JXv/q0O7FxkK dDA== X-Google-Smtp-Source: AGHT+IEpN/fmeg09QXYmRk76jlfhToz/dYyee0JzLxmQtyTpf1T1lmG777C8U6WhFAylTvCpUNKFzxyYeLw= X-Received: from avagin.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:b84]) (user=avagin job=sendgmr) by 2002:a05:6602:340a:b0:7f4:10e3:1671 with SMTP id ca18e2360f4ac-7f410e3190cmr9772639f.0.1719540618202; Thu, 27 Jun 2024 19:10:18 -0700 (PDT) Date: Fri, 28 Jun 2024 02:10:11 +0000 In-Reply-To: <20240628021014.231976-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240628021014.231976-1-avagin@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240628021014.231976-2-avagin@google.com> Subject: [PATCH 1/4] seccomp: interrupt SECCOMP_IOCTL_NOTIF_RECV when all users have exited From: Andrei Vagin To: Kees Cook Cc: linux-kernel@vger.kernel.org, Tycho Andersen , Andy Lutomirski , Will Drewry , Oleg Nesterov , Christian Brauner , Andrei Vagin Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" SECCOMP_IOCTL_NOTIF_RECV promptly returns when a seccomp filter becomes unused, as a filter without users can't trigger any events. Previously, event listeners had to rely on epoll to detect when all processes had exited. The change is based on the 'commit 99cdb8b9a573 ("seccomp: notify about unused filter")' which implemented (E)POLLHUP notifications. Reviewed-by: Christian Brauner Signed-off-by: Andrei Vagin Reviewed-by: Oleg Nesterov Reviewed-by: Tycho Andersen --- kernel/seccomp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index e30b60b57614..60990264fef0 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1466,7 +1466,7 @@ static int recv_wake_function(wait_queue_entry_t *wai= t, unsigned int mode, int s void *key) { /* Avoid a wakeup if event not interesting for us. */ - if (key && !(key_to_poll(key) & (EPOLLIN | EPOLLERR))) + if (key && !(key_to_poll(key) & (EPOLLIN | EPOLLERR | EPOLLHUP))) return 0; return autoremove_wake_function(wait, mode, sync, key); } @@ -1476,6 +1476,9 @@ static int recv_wait_event(struct seccomp_filter *fil= ter) DEFINE_WAIT_FUNC(wait, recv_wake_function); int ret; =20 + if (refcount_read(&filter->users) =3D=3D 0) + return 0; + if (atomic_dec_if_positive(&filter->notif->requests) >=3D 0) return 0; =20 @@ -1484,6 +1487,8 @@ static int recv_wait_event(struct seccomp_filter *fil= ter) =20 if (atomic_dec_if_positive(&filter->notif->requests) >=3D 0) break; + if (refcount_read(&filter->users) =3D=3D 0) + break; =20 if (ret) return ret; --=20 2.45.2.803.g4e1b14247a-goog From nobody Fri Dec 19 04:59:01 2025 Received: from mail-il1-f201.google.com (mail-il1-f201.google.com [209.85.166.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBAF417999 for ; Fri, 28 Jun 2024 02:10:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540621; cv=none; b=kFT4uaKvJ1Zrhx0iNh8j0/B4t2WDgNOgnnZEriAKe09KY+Ce4YV9slnDm31bvcGwvJXF/8WFnPsOxUUF2OgJnI3Mabp48QyCD8nwjfQ2ukGKsCGGc848+SMpRXw50Uckoous8N3AVBwNIWsMPg3nCPOunKg2hs5oxb0xw8jqdDE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540621; c=relaxed/simple; bh=QkaSF5A9KMosmZloQcUgW8Q/hsAxDn1li1t/sAbp0FQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Q2XUYsNVz7+0l91AoHnfAU4ZEsFevHpqDIrw/t2fPvy+g6ClW3tBpUcPI/bKa7aEcOx9bkLHy4QzOrBXBICBa1RMRyknMMo6m3+WDlFDNIDYUf+0pvAgD95yrO00r1UWKqFqi0/txgf8vE8TfxfzTgnhVgOzL1UOtYgQGdfkt0I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=boZGEkrl; arc=none smtp.client-ip=209.85.166.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="boZGEkrl" Received: by mail-il1-f201.google.com with SMTP id e9e14a558f8ab-37642e69d7eso1514165ab.3 for ; Thu, 27 Jun 2024 19:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719540619; x=1720145419; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=huWPnK1uLkj4Szurv4ShoZ3wTZ6ipU4nAKcPAprc9hg=; b=boZGEkrljNNp571l3OXNRVG7cvVGC+5CrlY3Zjw2KHkHo9cvyHyWGRI/i40X28lwym 9hn3pb7PPIICStEzrsO7hE5j96f7YQnStmj530TJneb30DyhPfOYsneKNVuhv3ecLRxX AVW+t0XE3o49LXv3rN9ByxYCv2Xec5XgSlLPRHOs00L8nkKTfRmX1i/9VpdP4gIZs8fY GDI55EzSRqLgnn6aimdbpianH61Jww1nDzIrdrVaas748Hti0yem8QwW066VGdqjLgjm dda5yCLEUdh77J5PMRGYYXP6HHQ7Cu7M8FG/rRuwWNyew9DZzYxnyqJR2ThdUvCLGaeG 8j4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719540619; x=1720145419; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=huWPnK1uLkj4Szurv4ShoZ3wTZ6ipU4nAKcPAprc9hg=; b=MlNZKUTwIYZlgnoD8FmUotRoVJB8YyC1SsvqQLqRR9Jzwwe33YXF2f98LvyUwm8/9p 2r9X0oDIJZf7pA1lbLUFLhrovJxk1nAyvier6hJyP0r68gaFCExMVpQ1xcvy7nqKMdTh A3vO1S+P18XT4I8CyNM66knkykFQrAPR3stSt4o4GYq8hMDEteDZ3q/Hmdxl0Cem5leb sd+kf3GefIR8hvKjY7Xh7TY0AOVJV++uOBJxYacdBQ3Y3zN7DLrR7+jcsLhmfFHpmI78 EVmpuCmu2wqG4pujIH8e/93IzkNYehc7fifSoRVjRxsD8H0EaQPQYDhWxlcAHD54Ktw8 zccQ== X-Gm-Message-State: AOJu0YxOQVr91xIc3C8r982pfSoqBvIRF5JWqpsbp/S2GiPW7iO4e+FF D8IObewyBJQYohcxRbyeG00UvBH9lyk2f8CSaaM/hxudV5NqEUgjdq96QFV/UNWBd29hff8vzSy tJA== X-Google-Smtp-Source: AGHT+IEUDFyLCtWGzIFRBZlQ9Sdlt047pCjBFbfCUtAJWHlBva8lU0tMhsDkYHUs6C0VM8X4qLnIeCnl3xY= X-Received: from avagin.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:b84]) (user=avagin job=sendgmr) by 2002:a05:6e02:152c:b0:375:a202:254d with SMTP id e9e14a558f8ab-3763df1be5amr16494845ab.1.1719540619142; Thu, 27 Jun 2024 19:10:19 -0700 (PDT) Date: Fri, 28 Jun 2024 02:10:12 +0000 In-Reply-To: <20240628021014.231976-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240628021014.231976-1-avagin@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240628021014.231976-3-avagin@google.com> Subject: [PATCH 2/4] seccomp: release task filters when the task exits From: Andrei Vagin To: Kees Cook Cc: linux-kernel@vger.kernel.org, Tycho Andersen , Andy Lutomirski , Will Drewry , Oleg Nesterov , Christian Brauner , Andrei Vagin Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Previously, seccomp filters were released in release_task(), which required the process to exit and its zombie to be collected. However, exited threads/processes can't trigger any seccomp events, making it more logical to release filters upon task exits. This adjustment simplifies scenarios where a parent is tracing its child process. The parent process can now handle all events from a seccomp listening descriptor and then call wait to collect a child zombie. seccomp_filter_release takes the siglock to avoid races with seccomp_sync_threads. There was an idea to bypass taking the lock by checking PF_EXITING, but it can be set without holding siglock if threads have SIGNAL_GROUP_EXIT. This means it can happen concurently with seccomp_filter_release. This change also fixes another minor problem. Suppose that a group leader installs the new filter without SECCOMP_FILTER_FLAG_TSYNC, exits, and becomes a zombie. Without this change, SECCOMP_FILTER_FLAG_TSYNC from any other thread can never succeed, seccomp_can_sync_threads() will check a zombie leader and is_ancestor() will fail. Reviewed-by: Oleg Nesterov Signed-off-by: Andrei Vagin Reviewed-by: Tycho Andersen --- kernel/exit.c | 3 ++- kernel/seccomp.c | 23 ++++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/kernel/exit.c b/kernel/exit.c index f95a2c1338a8..b945ab81eb92 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -277,7 +277,6 @@ void release_task(struct task_struct *p) } =20 write_unlock_irq(&tasklist_lock); - seccomp_filter_release(p); proc_flush_pid(thread_pid); put_pid(thread_pid); release_thread(p); @@ -832,6 +831,8 @@ void __noreturn do_exit(long code) io_uring_files_cancel(); exit_signals(tsk); /* sets PF_EXITING */ =20 + seccomp_filter_release(tsk); + acct_update_integrals(tsk); group_dead =3D atomic_dec_and_test(&tsk->signal->live); if (group_dead) { diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 60990264fef0..dc51e521bc1d 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -502,6 +502,9 @@ static inline pid_t seccomp_can_sync_threads(void) /* Skip current, since it is initiating the sync. */ if (thread =3D=3D caller) continue; + /* Skip exited threads. */ + if (thread->flags & PF_EXITING) + continue; =20 if (thread->seccomp.mode =3D=3D SECCOMP_MODE_DISABLED || (thread->seccomp.mode =3D=3D SECCOMP_MODE_FILTER && @@ -563,18 +566,21 @@ static void __seccomp_filter_release(struct seccomp_f= ilter *orig) * @tsk: task the filter should be released from. * * This function should only be called when the task is exiting as - * it detaches it from its filter tree. As such, READ_ONCE() and - * barriers are not needed here, as would normally be needed. + * it detaches it from its filter tree. PF_EXITING has to be set + * for the task. */ void seccomp_filter_release(struct task_struct *tsk) { - struct seccomp_filter *orig =3D tsk->seccomp.filter; + struct seccomp_filter *orig; =20 - /* We are effectively holding the siglock by not having any sighand. */ - WARN_ON(tsk->sighand !=3D NULL); + if (WARN_ON((tsk->flags & PF_EXITING) =3D=3D 0)) + return; =20 + spin_lock_irq(&tsk->sighand->siglock); + orig =3D tsk->seccomp.filter; /* Detach task from its filter tree. */ tsk->seccomp.filter =3D NULL; + spin_unlock_irq(&tsk->sighand->siglock); __seccomp_filter_release(orig); } =20 @@ -602,6 +608,13 @@ static inline void seccomp_sync_threads(unsigned long = flags) if (thread =3D=3D caller) continue; =20 + /* + * Skip exited threads. seccomp_filter_release could have + * been already called for this task. + */ + if (thread->flags & PF_EXITING) + continue; + /* Get a task reference for the new leaf node. */ get_seccomp_filter(caller); =20 --=20 2.45.2.803.g4e1b14247a-goog From nobody Fri Dec 19 04:59:01 2025 Received: from mail-il1-f201.google.com (mail-il1-f201.google.com [209.85.166.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A654C182DB for ; Fri, 28 Jun 2024 02:10:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540622; cv=none; b=aMUA+I2tWKra6wjAekq1Af0jYoux0goW+c0M9eLbuLUusrKLck2ehHj+Ly6vv/BELg+hq9XMKmNXvz1IgIsno3hH22FizyJSg4m5MY7swYqE1hUKTr8SfEcfim91RdwdkWlPYnC1IDApBTO0P5Y0T1lD1maPY5anCqAmsyl9XOw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540622; c=relaxed/simple; bh=NTB8v1mptXdowZfN1SyzFsAL03+UwPmvXEHLEadFgWY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=H542k7T6om3w+FAeiHExPNsPFOkhr7LVbZwenx7Ey3lCjIm6NWjYGT+wk5b1EZIB64ObHiqclOf0rGMtKMHGgwmENkk7Oms2ftb0kb7l4Hdc2WvaZBbl6/k+Mq4UfpJSMe50MhTVGvtHpYVxDcL/wbXcvZKBzLI2Qj3L6BhjfTE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=KlwxHoJ/; arc=none smtp.client-ip=209.85.166.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KlwxHoJ/" Received: by mail-il1-f201.google.com with SMTP id e9e14a558f8ab-376282b0e2bso1888025ab.1 for ; Thu, 27 Jun 2024 19:10:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719540620; x=1720145420; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=FRvuIq7O+LkudhOSygi6ppC8FZ2ycfIcb8xGEgTwFqM=; b=KlwxHoJ/WHC61/mdNfNhDk2Kk7VUDosdaqAmTrg+kZh4DFSfyyah5U+VqOja5nim+A 2y4uxRiDn9/VCjHr1vgCMMGAVQBjq62uHpdX4N50ieNcJqt7bB0dEY0n2RVVfDQzTZeL t6N2wIe86zxUrDdGyG4BdZ5dKiMW0IpnyLkQJToimZvMzriPhEVWf7QcUG54vI1F8wiZ IcY6Q4dCw3p468oN0RjUNXuZqy2U9OwPfz2qUj2tlAR33h/FppSfTbiVYHp72C6eev6G r+Jlg+wbJHegeEke0CzhQFbtz0QR1FjmnfisYYIevoE4pNmCR7hFhQ+qdpBdviMWxtnZ cB3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719540620; x=1720145420; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FRvuIq7O+LkudhOSygi6ppC8FZ2ycfIcb8xGEgTwFqM=; b=XzvrS3nSF60f+TnHR1RzzPbH/hse4YyXdmDvX+MeJ8PznQHgU+87KGlMYsJ91nkqb6 bEBfMYHmw1cULkWM/f9FegxvZd/tFShKSk/5vd61kEDMOxjp6Nv77zliYOoGs3nYppjd eXSqL+NryiiztOSUFQSzDLWa3wqD9jN6UClVKlZSfNQBaKYjfWnY3Fr6s+BqEOwQWtgu cYrfa8m0JfA6NdQEm7NR9P1ap977EDlki9jLMyv/y5W7pPJRYOMRxG+DxHMkeq3/EOFV lXQ914ryK5ZFAuCu5Qjf4jav+Ka09hQ9l/W/1pFjHWF2SeVlKIqELOC9GE+aMFB7mQZD yxBg== X-Gm-Message-State: AOJu0Yz4G9YoE13QViTHDZkhyEnsutnE7h6DgaMnGkTJ/x0Lbz2EKx2W N/JfICovPEI4au3IPqAcL9QopSxnVfvO16VsR2j0AnG4AkOYP7zfPc8+woKBcH1auH0F2W+7bwv UOw== X-Google-Smtp-Source: AGHT+IEK8XeMsZ5PeqOyB+VsJflLL5d+I2ytQoXmhvG71Iow5Q8w2shKEM1miFtDbjDVDn1oIwhVSEbhBMo= X-Received: from avagin.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:b84]) (user=avagin job=sendgmr) by 2002:a05:6e02:20e8:b0:379:2f26:c50a with SMTP id e9e14a558f8ab-3792f26c73bmr3764075ab.4.1719540619980; Thu, 27 Jun 2024 19:10:19 -0700 (PDT) Date: Fri, 28 Jun 2024 02:10:13 +0000 In-Reply-To: <20240628021014.231976-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240628021014.231976-1-avagin@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240628021014.231976-4-avagin@google.com> Subject: [PATCH 3/4] selftests/seccomp: add test for NOTIF_RECV and unused filters From: Andrei Vagin To: Kees Cook Cc: linux-kernel@vger.kernel.org, Tycho Andersen , Andy Lutomirski , Will Drewry , Oleg Nesterov , Christian Brauner , Andrei Vagin Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a new test case to check that SECCOMP_IOCTL_NOTIF_RECV returns when all tasks have gone. Signed-off-by: Andrei Vagin Reviewed-by: Tycho Andersen --- tools/testing/selftests/seccomp/seccomp_bpf.c | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/= selftests/seccomp/seccomp_bpf.c index 783ebce8c4de..390781d7c951 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -3954,6 +3954,60 @@ TEST(user_notification_filter_empty) EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0); } =20 +TEST(user_ioctl_notification_filter_empty) +{ + pid_t pid; + long ret; + int status, p[2]; + struct __clone_args args =3D { + .flags =3D CLONE_FILES, + .exit_signal =3D SIGCHLD, + }; + struct seccomp_notif req =3D {}; + + ret =3D prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret) { + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + + if (__NR_clone3 < 0) + SKIP(return, "Test not built with clone3 support"); + + ASSERT_EQ(0, pipe(p)); + + pid =3D sys_clone3(&args, sizeof(args)); + ASSERT_GE(pid, 0); + + if (pid =3D=3D 0) { + int listener; + + listener =3D user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LI= STENER); + if (listener < 0) + _exit(EXIT_FAILURE); + + if (dup2(listener, 200) !=3D 200) + _exit(EXIT_FAILURE); + close(p[1]); + close(listener); + sleep(1); + + _exit(EXIT_SUCCESS); + } + if (read(p[0], &status, 1) !=3D 0) + _exit(EXIT_SUCCESS); + close(p[0]); + /* + * The seccomp filter has become unused so we should be notified once + * the kernel gets around to cleaning up task struct. + */ + EXPECT_EQ(ioctl(200, SECCOMP_IOCTL_NOTIF_RECV, &req), -1); + EXPECT_EQ(errno, ENOENT); + + EXPECT_EQ(waitpid(pid, &status, 0), pid); + EXPECT_EQ(true, WIFEXITED(status)); + EXPECT_EQ(0, WEXITSTATUS(status)); +} + static void *do_thread(void *data) { return NULL; --=20 2.45.2.803.g4e1b14247a-goog From nobody Fri Dec 19 04:59:01 2025 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CA4B1DFFB for ; Fri, 28 Jun 2024 02:10:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540623; cv=none; b=A4gZLf9E7IZNWagIECSTua+dhMgrBBdOdRj9ItEkVnJBTbwYh5mffxMfJbReO6Yq1OxcQYFQXjofElgc3zlWL7u3WlQZ0/SebImm+rV3GqsyDlkinKnHRsElsf6kMxcUW7RwpdhkL30ptRDKaabCoKCyHNDWMjpNgqmCUFB5j4I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719540623; c=relaxed/simple; bh=WENDZcP8N/LxqpPFeFbXSpD17nZKdUoSCPD3rZP7z/4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=KWRgKlVIvJcFNuTamaezFtswx8RoOZh7F04Q2K0HU8tx+HyZE2pBYmh5wIM3Ny55J4lSJv2Wp5XTpy1bcgDGJEBefOOyFgQoLCeNT9RLCHG6gTJcUMFlIvwwtUi1Llj/UV/aJSFes8rnRcundbie8gFXw7IRW4cmIRNsWyG3yR4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vjNU8hNj; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vjNU8hNj" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-dfa73db88dcso209172276.0 for ; Thu, 27 Jun 2024 19:10:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719540621; x=1720145421; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3+q5Yudne0apm40w9a/NrughomiVS9st32ZmfN+LWk8=; b=vjNU8hNjRTIwBKueXomX94VOHx4bjgLlIvCCksTjU3bVDxvmSRQ8qQ7gzMorhv+RtP ZETTW1ShQbRmh+m1UY+qA5KPEaBn2Oqc+Nw3B4wVOF6wgs9U6P+LbQPOYIcsi3I8trui 8v78Yvv957SN6F65+/UM0K6OELJAdK1pFOD/rbhGVOHVDhs3WU3iFTskNnn6/d+5R5oQ RmZWpXF5124ie9T6fUftfUkWBw+XNjc0lQqc3xzewXsPyf63uZI5vkj7HTYmAm5s+1H5 HGH6E75feblxasGbq9JAwW4Ia64IplknPk+7Mlqjxb8RnISf4wz5Uf14lRU46gx16dtU HNlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719540621; x=1720145421; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3+q5Yudne0apm40w9a/NrughomiVS9st32ZmfN+LWk8=; b=RCZzG4gRxha5nGDHbz+i54kKlRGBRCtn5LA6r0WkIN3MecWVg7yYi+Q24eoQkeopf3 rbKhIQG0psHqzN/fLlPu7Tp2rLdsQMO7EZKTA41w+CLlxkLonf0k0TZsptlC2e0pWsyq cGjvHuUEG3nERd6mJswgXQT2I4Ek4ZHjzHiliJDrjzQAV/rEks0rLCID3wEpjp2aW3nB gvKkV2jxCUO4lkMxXMACrLViqaKS+2SZ21r0xQG1AsIUZ9Qz2dvuBHbGbqk5+YCm0qYB modHx3znCmsEYR3N7khmVnFkge63Yi8qe8rqNAxB9Wavb9xp2D3EDoi35lCdYVyvb/2j xXSg== X-Gm-Message-State: AOJu0YyJCjwprqjEeV0s5kAUtqDzzddDZgrQvFBn7aXdJ6PGhQ8uDNcq 2H7FKstR9j+LCg7cLQWExQlYaJjayB1ES4vEUIOa0SSckRlFtnkQYDn1VTrV3IM5yDB51nIPThr XUA== X-Google-Smtp-Source: AGHT+IFeZp+OKnBr03iY/sVg8Bm8WE9n5a0TRPt0/ahgfiqmGEwYv7yfgX7jncSzfInGJlJsU77XXD1DtRI= X-Received: from avagin.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:b84]) (user=avagin job=sendgmr) by 2002:a05:6902:120d:b0:dfb:fb2:ebd with SMTP id 3f1490d57ef6-e0303fdc528mr43728276.8.1719540621021; Thu, 27 Jun 2024 19:10:21 -0700 (PDT) Date: Fri, 28 Jun 2024 02:10:14 +0000 In-Reply-To: <20240628021014.231976-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240628021014.231976-1-avagin@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240628021014.231976-5-avagin@google.com> Subject: [PATCH 4/4] selftests/seccomp: check that a zombie leader doesn't affect others From: Andrei Vagin To: Kees Cook Cc: linux-kernel@vger.kernel.org, Tycho Andersen , Andy Lutomirski , Will Drewry , Oleg Nesterov , Christian Brauner , Andrei Vagin Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Ensure that a dead thread leader doesn't prevent installing new filters with SECCOMP_FILTER_FLAG_TSYNC from other threads. Signed-off-by: Andrei Vagin Reviewed-by: Tycho Andersen --- tools/testing/selftests/seccomp/seccomp_bpf.c | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/= selftests/seccomp/seccomp_bpf.c index 390781d7c951..e3f97f90d8db 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -4809,6 +4809,83 @@ TEST(user_notification_wait_killable_fatal) EXPECT_EQ(SIGTERM, WTERMSIG(status)); } =20 +struct tsync_vs_thread_leader_args { + pthread_t leader; +}; + +static void *tsync_vs_dead_thread_leader_sibling(void *_args) +{ + struct sock_filter allow_filter[] =3D { + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog allow_prog =3D { + .len =3D (unsigned short)ARRAY_SIZE(allow_filter), + .filter =3D allow_filter, + }; + struct tsync_vs_thread_leader_args *args =3D _args; + void *retval; + long ret; + + ret =3D pthread_join(args->leader, &retval); + if (ret) + exit(1); + if (retval !=3D _args) + exit(2); + ret =3D seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &allo= w_prog); + if (ret) + exit(3); + + exit(0); +} + +/* + * Ensure that a dead thread leader doesn't prevent installing new filters= with + * SECCOMP_FILTER_FLAG_TSYNC from other threads. + */ +TEST(tsync_vs_dead_thread_leader) +{ + int status; + pid_t pid; + long ret; + + ret =3D prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret) { + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + + pid =3D fork(); + ASSERT_GE(pid, 0); + + if (pid =3D=3D 0) { + struct sock_filter allow_filter[] =3D { + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog allow_prog =3D { + .len =3D (unsigned short)ARRAY_SIZE(allow_filter), + .filter =3D allow_filter, + }; + struct tsync_vs_thread_leader_args *args; + pthread_t sibling; + + args =3D malloc(sizeof(*args)); + ASSERT_NE(NULL, args); + args->leader =3D pthread_self(); + + ret =3D pthread_create(&sibling, NULL, + tsync_vs_dead_thread_leader_sibling, args); + ASSERT_EQ(0, ret); + + /* Install a new filter just to the leader thread. */ + ret =3D seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog); + ASSERT_EQ(0, ret); + pthread_exit(args); + exit(1); + } + + EXPECT_EQ(pid, waitpid(pid, &status, 0)); + EXPECT_EQ(0, status); +} + /* * TODO: * - expand NNP testing --=20 2.45.2.803.g4e1b14247a-goog