-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: user notification #147
Conversation
Thanks @tych0, although without looking at any of the code, it appears as though you are failing the Travis tests, can you look into that? |
Looks like it's failing because the Travis kernels don't have this feature
yet. I guess there's some feature check/skip mechanism in the test suite
for this?
…On Tue, Mar 19, 2019, 1:36 PM Paul Moore ***@***.***> wrote:
Thanks @tych0 <https://github.com/tych0>, although without looking at any
of the code, it appears as though you are failing the Travis tests, can you
look into that?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#147 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAv61xf7aDoXpT_E-q0-Uozs5znS8Z5Qks5vYTxEgaJpZM4b8kQU>
.
|
902c493
to
7f36c76
Compare
I'm confused, /home/travis/build/seccomp/libseccomp/src/.libs/libseccomp_la-arch-mips64-syscalls.gcda:cannot open data file, assuming not executed /home/travis/build/seccomp/libseccomp/src/.libs/libseccomp_la-arch-parisc64.gcno:no functions found ? I don't really know how the coverage stuff works. |
7f36c76
to
a0c6ae5
Compare
Sorry for the delay, between the day job and the kernel development window opening, it's been a busy week.
Yes, libseccomp has the concept of "API levels" which determine what is supported. Normally these are determined automatically at runtime, but you can force a particular level if desired. See The live test types allow you to specify a minimum API level required for them to run (you can see your current level with tools/scmp_api_level), see tests/47-live-kill_process.tests for an example.
It should "just work" from a Travis perspective. There are some makefile targets for doing it locally via gcov/lcov, but that is currently broken with current gcc, although they are "working on it". Let's not worry about the coverage too much right now, let's get the tests working first, that's most important. |
tests/50-user-notification.tests
Outdated
test type: live | ||
|
||
# Testname API Result | ||
50-user-notification 5 ZERO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a nit, but as a convention, the "live" tests follow the naming format of "-live-<test_name>" where <test_name> uses underscores not hyphens.
Yeah, I figured out the live stuff today, I think all that should be working now. |
I'm currently working my way through these patches, but one nitpick that doesn't lend itself well to the GitHub review mechanism: please make sure the patches have some some of subject prefix (similar to how we do things in kernel land). For example, I would rather "add API support for the SPEC_ALLOW flag" be "api: add support for the SPEC_ALLOW flag". You could probably add an "api:" prefix to the main user notification patch too. |
* SECCOMP_RET_USER_NOTIF was added in kernel 5.0. It will not be defined on | ||
* older kernels. This version also added the structures below, so let's define | ||
* those if the header doesn't have this definiton. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We generally don't include commentary like this in the libseccomp header file :)
I think it's both appropriate and a good idea to add a one-liner about user notification first appearing in Linux v5.0 but I would leave it at that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably wasn't clear enough about this previously, but this is what I was thinking for a comment:
/* User notification bits was added in Linux v5.0 */
I would also include a brief explanation of the user notification feature in the commit description so we have some info in the git log about how this is expected to work. |
src/api.c
Outdated
*req = malloc(sizes.seccomp_notif); | ||
if (!*req) | ||
return -ENOMEM; | ||
memset(*req, 0, sizes.seccomp_notif); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We define a malloc
wrapper named zmalloc
in src/helper.c
which does the allocation/zero'ing for you; please use that instead.
src/api.c
Outdated
free(req); | ||
return -ENOMEM; | ||
} | ||
memset(*resp, 0, sizes.seccomp_notif_resp); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
src/api.c
Outdated
@@ -537,3 +551,64 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd) | |||
|
|||
return 0; | |||
} | |||
|
|||
/* NOTE - function header comment in include/seccomp.h */ | |||
int seccomp_alloc_notifications(struct seccomp_notif **req, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be prefaced with "API" to ensure the visibility is set correctly.
src/api.c
Outdated
static struct seccomp_notif_sizes sizes = {}; | ||
|
||
if (sizes.seccomp_notif == 0) { | ||
int ret = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be moved to a function in src/system.c
and it should make use of _support_seccomp_syscall
and sys_chk_seccomp_syscall()
to see if it safe/possible to use the seccomp()
syscall.
src/api.c
Outdated
return -1; | ||
} | ||
|
||
*req = malloc(sizes.seccomp_notif); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous malloc()
comments.
src/api.c
Outdated
return -ENOMEM; | ||
memset(*req, 0, sizes.seccomp_notif); | ||
|
||
*resp = malloc(sizes.seccomp_notif_resp); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another one. I'm going to stop pointing these out and just assume you'll change them all :)
src/api.c
Outdated
int seccomp_alloc_notifications(struct seccomp_notif **req, | ||
struct seccomp_notif_resp **resp) | ||
{ | ||
static struct seccomp_notif_sizes sizes = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This information should probably live in src/system.c
. See the other comments in this function.
src/python/libseccomp.pxd
Outdated
@@ -59,6 +59,7 @@ cdef extern from "seccomp.h": | |||
SCMP_FLTATR_API_TSKIP | |||
SCMP_FLTATR_CTL_LOG | |||
SCMP_FLTATR_SPEC_ALLOW | |||
SCMP_FITATR_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"_FLTATR_" not "_FITATR_"
tests/13-basic-attrs.c
Outdated
@@ -123,6 +123,20 @@ int main(int argc, char *argv[]) | |||
goto out; | |||
} | |||
|
|||
expected = 1; | |||
rc = seccomp_attr_set(ctx, SCMP_FLTATR_NEW_LISTENER, expected); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my previous comments about this test as well as the missing Python equivalent.
test type: live | ||
|
||
# Testname API Result | ||
50-live-user_notification 5 USER_NOTIF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you need to respin this patch anyway, you might as well rebase to the current master branch and resolve the test number conflict (we now have a test 50).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also should have a Python version of this test.
include/seccomp.h.in
Outdated
* loaded. This is only valid after seccomp_load() with | ||
* SCMP_FLTATR_NEW_LISTENER set. | ||
*/ | ||
int seccomp_notif_get_fd(const scmp_filter_ctx ctx); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just call this seccomp_notif_fd(...)
? Or do you see us needing to get/put the FD for some reason in the future?
There were a few carryover items that needed to be addressed, and a few new things, but overall I think you're pretty close. I think the biggest thing is you need to provide proper Python tests (and run them), as there was one typo in the Python bindings that would have been caught. There is also the issue of documenting the API and data types in a manpage. If they are documented elsewhere, that's fine, but we need to reference it in the libseccomp specific manpages. |
One more thing, since the first patch was pretty straight forward, and could stand alone, I went ahead and merged that just now via e7c97e3. Feel free to drop that from future respins. |
*/ | ||
int seccomp_notif_alloc(struct seccomp_notif **req, | ||
struct seccomp_notif_resp **resp); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of these new APIs need to be documented in one or more manpages.
@@ -66,6 +67,7 @@ enum scmp_filter_attr { | |||
SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */ | |||
SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */ | |||
SCMP_FLTATR_SPEC_ALLOW = 7, /**< disable SSB mitigation */ | |||
SCMP_FLTATR_NEW_LISTENER = 8, /**< returns a listener fd */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my previous comment regarding attribute names (my apologies once again). Similar to the last one, this should probably be SCMP_FLTATR_CTL_<blah>
.
On Thu, Apr 18, 2019 at 06:35:59PM -0700, Paul Moore wrote:
pcmoore commented on this pull request.
> @@ -336,6 +342,48 @@ struct scmp_arg_cmp {
*/
#define SCMP_ACT_ALLOW 0x7fff0000U
+/*
+ * User notification bits. It's a little unfortunate that we don't export
+ * system.h, so we end up having to define all these structures again.
+ * SECCOMP_RET_USER_NOTIF was added in kernel 5.0. It will not be defined on
+ * older kernels. This version also added the structures below, so let's define
+ * those if the header doesn't have this definiton.
+ */
I probably wasn't clear enough about this previously, but this is what I was thinking for a comment:
```
/* User notification bits was added in Linux v5.0 */
```
No, you were, it's just that this is copypasta and I only deleted it
from one place.
|
685a510
to
1ad98b2
Compare
On Thu, Apr 18, 2019 at 04:02:31PM -0700, Paul Moore wrote:
pcmoore commented on this pull request.
> @@ -108,6 +108,21 @@ int main(int argc, char *argv[])
goto out;
}
+
+ expected = 1;
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_SPEC_ALLOW, expected);
+ if (rc == -EOPNOTSUPP)
+ expected = 0;
Since you are forcing the API level to "4" above, this should always be supported regardless of the underlying host kernel. You should be able to just copy/paste the checks used for the other attributes (the "expected" stuff shouldn't be needed).
That doesn't work.
seccomp_attr_set() -> db_col_attr_set() -> sys_chk_seccomp_flag() ->
checks the actual flag.
We could switch the implementation of db_col_attr_set() if you want,
but then it wouldn't match the other ones.
Tycho
|
If you look at |
On Tue, Apr 23, 2019 at 01:29:35PM -0700, Paul Moore wrote:
> That doesn't work. seccomp_attr_set() -> db_col_attr_set() -> sys_chk_seccomp_flag() -> checks the actual flag. We could switch the implementation of db_col_attr_set() if you want, but then it wouldn't match the other ones.
If you look at `sys_chk_seccomp_flag(...)` you'll notice that it checks the `_support_*` variable associated with the flag before calling into `_sys_chk_seccomp_flag_kernel(...)`. It does this to solve exactly the problem you are describing.
Hmm, I must have misread this morning. In any case, it still fails for
me without this, so something else is being picky.
|
If you end up getting stuck, let me know. |
1ad98b2
to
54d995b
Compare
@tych0 I see there are updates to the PR and wanted to check to see if you are ready for us to review them again, or are they still a work in progress? Either approach is fine, I just want to make sure we aren't holding you up. |
On Thu, Apr 25, 2019 at 05:20:00PM +0000, Paul Moore wrote:
@tych0 I see there are updates to the PR and wanted to check to see if you are ready for us to review them again, or are they still a work in progress? Either approach is fine, I just want to make sure we aren't holding you up.
I think everything should be addressed except for the man pages, which
I only have about half done because I can only write so much troff at
a time :). Feel free to take a look if you want, just note that the
man pages are absent.
|
I'm out of the office Friday and Monday, but I can look them over on Tuesday. |
On Thu, Apr 25, 2019 at 12:39:03PM -0700, Tom Hromatka wrote:
I'm out of the office Friday and Monday, but I can look them over on Tuesday.
Cool, thanks. I just pushed the man pages too, so I think it's
probably pretty close at this point.
|
Me too. I love projects that have manpages, but I hate writing them :) FWIW, we do have an issue open (#83) to look into alternate source formats for our manpages to make life easier. |
I think something may be wrong @tych0 - it doesn't look like I'm seeing all of your updates. As an example, I know you were working on adding the Python tests, but I'm not seeing any additions/changes to the Python tests in this PR. ??? |
4b2e26a
to
258505c
Compare
Signed-off-by: Tycho Andersen <[email protected]>
Kernel 5.0 includes the new user notification return code. Here's all the infrastructure to handle that. The idea behind the user notification return code is that the filter stops the syscall, and forwards it to a "listener fd" that is created when installing a filter. Then then some userspace task can listen and process events accordingly by taking some (or no) action in userspace, and then returning a value from the command. Signed-off-by: Tycho Andersen <[email protected]>
Here's some basic documentation for the seccomp_notif_* family of functions. I put them all on the same page because that seems to make the most sense; they'll all be used together. Signed-off-by: Tycho Andersen <[email protected]>
I happened to be in the same room as @tych0 this week, so I offered to pick up this patch to add the missing bits so he could focus on other things. I'm going to close this PR as a result, in favor of a new PR with the updated patches in just a moment. |
Here's the user-notification infrastructure, and a test to make sure it really works :)