Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH v7 0/9] Add seccomp notifier ioctl that enables adding fds
@ 2020-07-09 18:26 Kees Cook
  2020-07-09 18:26 ` [PATCH v7 1/9] net/compat: Add missing sock updates for SCM_RIGHTS Kees Cook
                   ` (8 more replies)
  0 siblings, 9 replies; 19+ messages in thread
From: Kees Cook @ 2020-07-09 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Kees Cook, Sargun Dhillon, Christian Brauner, Tycho Andersen,
	David Laight, Christoph Hellwig, David S. Miller, Jakub Kicinski,
	Alexander Viro, Aleksa Sarai, Matt Denton, Jann Horn,
	Chris Palmer, Robert Sesek, Giuseppe Scrivano,
	Greg Kroah-Hartman, Andy Lutomirski, Will Drewry, Shuah Khan,
	netdev, containers, linux-api, linux-fsdevel, linux-kselftest

Hello!

v7:
- break out sock usage counting fixes into more cleanly backportable pieces
- code style cleanups (christian)
- clarify addfd commit log (christian)
- add ..._SIZE_{VER0,LATEST} and BUILD_BUG_ON()s (christian)
- remove undef (christian)
- fix addfd embedded URL reference numbers
v6: https://lore.kernel.org/lkml/20200706201720.3482959-1-keescook@chromium.org/

This continues the thread-merge between [1] and [2]. tl;dr: add a way for
a seccomp user_notif process manager to inject files into the managed
process in order to handle emulation of various fd-returning syscalls
across security boundaries. Containers folks and Chrome are in need
of the feature, and investigating this solution uncovered (and fixed)
implementation issues with existing file sending routines.

I intend to carry this in the for-next/seccomp tree, unless someone
has objections. :) Please review and test!

-Kees

[1] https://lore.kernel.org/lkml/20200603011044.7972-1-sargun@sargun.me/
[2] https://lore.kernel.org/lkml/20200610045214.1175600-1-keescook@chromium.org/


Kees Cook (7):
  net/compat: Add missing sock updates for SCM_RIGHTS
  pidfd: Add missing sock updates for pidfd_getfd()
  net/scm: Regularize compat handling of scm_detach_fds()
  fs: Move __scm_install_fd() to __receive_fd()
  fs: Add receive_fd() wrapper for __receive_fd()
  pidfd: Replace open-coded receive_fd()
  fs: Expand __receive_fd() to accept existing fd

Sargun Dhillon (2):
  seccomp: Introduce addfd ioctl to seccomp user notifier
  selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD

 fs/file.c                                     |  57 +++++
 include/linux/file.h                          |  19 ++
 include/linux/seccomp.h                       |   4 +
 include/net/sock.h                            |   4 +
 include/uapi/linux/seccomp.h                  |  22 ++
 kernel/pid.c                                  |  14 +-
 kernel/seccomp.c                              | 173 ++++++++++++-
 net/compat.c                                  |  55 ++---
 net/core/scm.c                                |  50 +---
 net/core/sock.c                               |  21 ++
 tools/testing/selftests/seccomp/seccomp_bpf.c | 229 ++++++++++++++++++
 11 files changed, 566 insertions(+), 82 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 19+ messages in thread

end of thread, other threads:[~2020-08-08  7:18 UTC | newest]

Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-09 18:26 [PATCH v7 0/9] Add seccomp notifier ioctl that enables adding fds Kees Cook
2020-07-09 18:26 ` [PATCH v7 1/9] net/compat: Add missing sock updates for SCM_RIGHTS Kees Cook
2020-07-10 11:28   ` Christian Brauner
2020-07-09 18:26 ` [PATCH v7 2/9] pidfd: Add missing sock updates for pidfd_getfd() Kees Cook
2020-07-09 20:00   ` Jann Horn
2020-07-09 21:17     ` Kees Cook
2020-07-09 22:35     ` Kees Cook
2020-07-09 18:26 ` [PATCH v7 3/9] net/scm: Regularize compat handling of scm_detach_fds() Kees Cook
2020-08-07 20:29   ` John Stultz
2020-08-07 22:18     ` Kees Cook
2020-08-08  0:02       ` John Stultz
2020-08-08  7:17         ` Kees Cook
2020-07-09 18:26 ` [PATCH v7 4/9] fs: Move __scm_install_fd() to __receive_fd() Kees Cook
2020-07-09 18:26 ` [PATCH v7 5/9] fs: Add receive_fd() wrapper for __receive_fd() Kees Cook
2020-07-09 18:26 ` [PATCH v7 6/9] pidfd: Replace open-coded receive_fd() Kees Cook
2020-07-09 18:26 ` [PATCH v7 7/9] fs: Expand __receive_fd() to accept existing fd Kees Cook
2020-07-09 18:26 ` [PATCH v7 8/9] seccomp: Introduce addfd ioctl to seccomp user notifier Kees Cook
2020-07-14 18:20   ` Will Drewry
2020-07-09 18:26 ` [PATCH v7 9/9] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).