From patchwork Tue Nov 24 13:16:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 41181 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 95A5638708C5; Tue, 24 Nov 2020 13:16:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 95A5638708C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1606223814; bh=N0o6wwndnChjuZCdHmgu0zEDfuRBO9x3h7yXdD6ylpY=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=h9rxpvwk5INlAma0WUg+Ltpnqy0e9ecw1BxDBZthNCrXa8pYlKJIIZ4fe4vUf7sh+ Cnm4GX+TGB45oPTlyn3gTp62u6f70XwFhQJUnZI1ak/bVDYchvevmCnELImhVPfNkm OUfMLmWJjdn9MCtVgMUawWtIhc8zASZeITuxS5wM= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by sourceware.org (Postfix) with ESMTP id E4A9C38708B7 for ; Tue, 24 Nov 2020 13:16:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E4A9C38708B7 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-496-M1noiiAHMdKSSjD_dQD2Ew-1; Tue, 24 Nov 2020 08:16:48 -0500 X-MC-Unique: M1noiiAHMdKSSjD_dQD2Ew-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BCF2380364D for ; Tue, 24 Nov 2020 13:16:47 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-112-141.ams2.redhat.com [10.36.112.141]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3AF7119C44 for ; Tue, 24 Nov 2020 13:16:47 +0000 (UTC) To: libc-alpha@sourceware.org Subject: [RFC PATCH] Linux: Add seccomp probing to faccessat2 Date: Tue, 24 Nov 2020 14:16:45 +0100 Message-ID: <87zh3628ua.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_NUMSUBJECT, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Florian Weimer via Libc-alpha From: Florian Weimer Reply-To: Florian Weimer Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" Some container runtimes cause faccessat2 to fail unconditionally with EPERM. Since it is conceivable that the real faccessat2 implementation can return EPERM (e.g., triggered by a Linux Security Module), unconditional fallback to the incorrect workaround on EPERM seems wrong. Instead, a probing sequence attempts to figure out whether the error comes from a seccomp filter or the kernel. Related kernel discussion: Fixes commit 3d3ab573a5f3071992cbc4f57d50d1d29d55bde2 ("Linux: Use faccessat2 to implement faccessat (bug 18683)"). This is not a real submission, I just want to show how this would like in glibc. I haven't actually tested it. As I said on the kernel thread, I'd like to see some reluctant support from kernel developers before we go in this direction. --- sysdeps/unix/sysv/linux/faccessat.c | 39 +++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c index 5d078371b5..e39c046472 100644 --- a/sysdeps/unix/sysv/linux/faccessat.c +++ b/sysdeps/unix/sysv/linux/faccessat.c @@ -17,26 +17,53 @@ . */ #include -#include -#include +#include #include +#include #include +#include +#if !__ASSUME_FACCESSAT2 +/* Used to make sure that an EPERM error came from the kernel and not + a system call filter. */ +static bool +check_for_eperm (int fd, const char *file, int mode, int flag) +{ + int ret = INTERNAL_SYSCALL_CALL (faccessat2, fd, file, mode, flag); + return (INTERNAL_SYSCALL_ERROR_P (ret) + && INTERNAL_SYSCALL_ERRNO (ret) == EPERM); +} +#endif int faccessat (int fd, const char *file, int mode, int flag) { - int ret = INLINE_SYSCALL_CALL (faccessat2, fd, file, mode, flag); #if __ASSUME_FACCESSAT2 - return ret; + return INLINE_SYSCALL_CALL (faccessat2, fd, file, mode, flag); #else - if (ret == 0 || errno != ENOSYS) + /* Prefer the old system call if no flags are specified, to avoid + any complex fallback in that case. */ + if (flag == 0) + return INLINE_SYSCALL (faccessat, 3, fd, file, mode); + + int ret = INLINE_SYSCALL_CALL (faccessat2, fd, file, mode, flag); + if (ret == 0 || (errno != ENOSYS && errno != EPERM)) + return ret; + + /* Workaround for seccomp filters and Linux containers: Check that + the EPERM system call is real by probing for known error + conditions. If either probe does not fail with EPERM, it + suggests that there is no seccomp filter in place, and the + initial EPERM error came from the kernel. */ + if (errno == EPERM + && (!check_for_eperm (-1, "", 0, 0) /* EBADFD expected. */ + || !check_for_eperm (fd, NULL, 0, 0))) /* EFAULT expected. */ return ret; if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS)) return INLINE_SYSCALL_ERROR_RETURN_VALUE (EINVAL); - if ((flag == 0 || ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure))) + if ((flag & ~AT_EACCESS) == 0 && ! __libc_enable_secure) return INLINE_SYSCALL (faccessat, 3, fd, file, mode); struct stat64 stats;