On Mon, Jun 15, 2020 at 08:25:23PM -0700, Kees Cook wrote:
This patch is based on discussions[1] with Sargun Dhillon, Christian Brauner, and David Laight. Instead of building size into the addfd structure, make it a function of the ioctl command (which is how sizes are normally passed to ioctls). To support forward and backward compatibility, just mask out the direction and size, and match everything. The size (and any future direction) checks are done along with copy_struct_from_user() logic. Also update the selftests to check size bounds.
[1] https://lore.kernel.org/lkml/20200612104629.GA15814@ircssh-2.c.rugged-nimbus...
Signed-off-by: Kees Cook keescook@chromium.org
include/uapi/linux/seccomp.h | 2 - kernel/seccomp.c | 21 ++++++---- tools/testing/selftests/seccomp/seccomp_bpf.c | 40 ++++++++++++++++--- 3 files changed, 49 insertions(+), 14 deletions(-)
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index c347160378e5..473a61695ac3 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -118,7 +118,6 @@ struct seccomp_notif_resp { /**
- struct seccomp_notif_addfd
- @size: The size of the seccomp_notif_addfd structure
- @id: The ID of the seccomp notification
- @flags: SECCOMP_ADDFD_FLAG_*
- @srcfd: The local fd number
@@ -126,7 +125,6 @@ struct seccomp_notif_resp {
- @newfd_flags: The O_* flags the remote FD should have applied
*/ struct seccomp_notif_addfd {
- __u64 size;
Huh? Won't this break builds?
Tycho