From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-4.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 2AD861F9E0 for ; Thu, 30 Apr 2020 19:59:10 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5EB6F389F4F0; Thu, 30 Apr 2020 19:59:09 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5EB6F389F4F0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1588276749; bh=/i2h5+utcIC3D3TlqeVesKTBRhYqcUal9XCFN7oqmaY=; h=Date:To:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=XxCPC/NVdwJgfuEJUK0lRRKU8rpTc+/w+8z3ULlyEnYAYzySsjtjI5SqGzX2tqk5a dQ+/M4wG6A9p2Z+cSdK6ShA63Ybd16mlUGeNjZwZMqlEE3vyGc8Cfat/D6xpiJFZwW hgR4YgcF7KdcJTYAcLc0AVGxaid0rP0oQygZOMNA= Received: from mail.efficios.com (mail.efficios.com [167.114.26.124]) by sourceware.org (Postfix) with ESMTPS id 5B4D83898511 for ; Thu, 30 Apr 2020 19:59:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5B4D83898511 Received: from localhost (localhost [127.0.0.1]) by mail.efficios.com (Postfix) with ESMTP id 0CF092919EB; Thu, 30 Apr 2020 15:59:06 -0400 (EDT) Received: from mail.efficios.com ([127.0.0.1]) by localhost (mail03.efficios.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id DkHN7Rf3ELUf; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.efficios.com (Postfix) with ESMTP id B5EE4291FBA; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com B5EE4291FBA X-Virus-Scanned: amavisd-new at efficios.com Received: from mail.efficios.com ([127.0.0.1]) by localhost (mail03.efficios.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id I3IsS1amWD1U; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Received: from mail03.efficios.com (mail03.efficios.com [167.114.26.124]) by mail.efficios.com (Postfix) with ESMTP id ABC40291E7B; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Date: Thu, 30 Apr 2020 15:59:05 -0400 (EDT) To: Florian Weimer Message-ID: <1916849841.78543.1588276745582.JavaMail.zimbra@efficios.com> In-Reply-To: <625724399.78482.1588276415331.JavaMail.zimbra@efficios.com> References: <20200428171513.22926-1-mathieu.desnoyers@efficios.com> <878sidkk0z.fsf@oldenburg2.str.redhat.com> <1972833271.77975.1588265754974.JavaMail.zimbra@efficios.com> <874kt0lx6i.fsf@oldenburg2.str.redhat.com> <729499446.78182.1588267203324.JavaMail.zimbra@efficios.com> <87zhaskgsp.fsf@oldenburg2.str.redhat.com> <1904112038.78406.1588275546194.JavaMail.zimbra@efficios.com> <625724399.78482.1588276415331.JavaMail.zimbra@efficios.com> Subject: Re: [RFC PATCH glibc 1/3] glibc: Perform rseq(2) registration at C startup and thread creation (v18) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [167.114.26.124] X-Mailer: Zimbra 8.8.15_GA_3918 (ZimbraWebClient - FF75 (Linux)/8.8.15_GA_3895) Thread-Topic: glibc: Perform rseq(2) registration at C startup and thread creation (v18) Thread-Index: 6EyI1Wf26PYasEGkxyGnpXBYzwu+fShKqlbCQlMlKWc= X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Mathieu Desnoyers via Libc-alpha Reply-To: Mathieu Desnoyers Cc: libc-alpha , Joseph Myers Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" ----- On Apr 30, 2020, at 3:53 PM, Mathieu Desnoyers mathieu.desnoyers@effi= cios.com wrote: > ----- On Apr 30, 2020, at 3:39 PM, Mathieu Desnoyers > mathieu.desnoyers@efficios.com wrote: >=20 >> ----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wro= te: >>=20 >>> * Mathieu Desnoyers: >>>=20 >>>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com w= rote: >>>> [...] >>>>> __libc_fatal does not attribute the error to glibc, so I suggest to >>>>> start the error messages with =E2=80=9Cglibc fatal error: =E2=80=9D, = so that people know >>>>> where to look. >>>> >>>> OK. Is there a strict requirement on limiting to 80 columns for code >>>> including an error message string in glibc ? IOW: >>>> >>>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>>> __libc_fatal ("glibc fatal error: rseq already initialized for thi= s thread\n"); >>>> >>>> or >>>> >>>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>>> __libc_fatal ("glibc fatal error: " >>>> "rseq already initialized for this thread\n"); >>>> >>>> ? >>>=20 >>> The latter, please. Some code also uses >>>=20 >>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>> __libc_fatal ("\ >>> glibc fatal error: rseq already initialized for this thread\n"); >>>=20 >>> But that's not really my preference. >>>=20 >>> (Trimmed the Cc: list a bit, we are really down to glibc specifics at >>> this point.) >>=20 >> One last question with respect to handling of rseq errno values. We curr= ently >> have (based on my own rseq(2) man page, not upstream yet): >>=20 >> ERRORS >> EINVAL Either flags contains an invalid value, or rseq contains an= address which >> is not appropriately aligned, >> or rseq_len contains a size that does not match the size re= ceived on >> registration. >>=20 >> ENOSYS The rseq() system call is not implemented by this kernel. >>=20 >> EFAULT rseq is an invalid address. >>=20 >> EBUSY Restartable sequence is already registered for this thread. >>=20 >> EPERM The sig argument on unregistration does not match the signa= ture received >> on registration. >>=20 >> So with the current suggestions, we basically treat "EBUSY" as a __libc_= fatal >> (), >> which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM= ) as >> conditions which will just disable rseq for the thread by marking cpu_id= as >> RSEQ_CPU_ID_REGISTRATION_FAILED. >>=20 >> I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno= should >> IMHO >> really abort libc as well with an appropriate __libc_fatal () message, b= ecause >> something >> is clearly going wrong and we don't want to hide it under the carpet by = just >> disabling rseq support silently. >>=20 >> Also, I personally consider that adding an additional errno value >> to an existing system call for a given set of supported system call >> parameters is an ABI breakage, but I _know_ the Linux kernel community >> as a whole does not feel that way, and they are known to have pretty muc= h >> silently added additional errno values to existing system calls as long >> as nobody complains. >>=20 >> Considering this, I wonder if we should be strict and e.g. do: >>=20 >> const char *msg =3D NULL; >>=20 >> switch (INTERNAL_SYSCALL_ERRNO (ret)) >> { >> case ENOSYS: >> case EPERM: >> /* rseq system call is unavailable or not permitted. */ >> __rseq_abi.cpu_id =3D RSEQ_CPU_ID_REGISTRATION_FAILED; >> break; >> case EINVAL: >> msg =3D "glibc fatal error: rseq already registered for this thread\n= "; >> break; >> case EBUSY: >> msg =3D "glibc fatal error: rseq parameters are invalid"; >> case EFAULT: >> msg =3D "glibc fatal error: rseq is an invalid address"; >> break; >> default: >> msg =3D "glibc fatal error: unexpected rseq errno"; >> break; >> } >> if (msg) >> __libc_fatal (msg); >>=20 >> Also considering that __libc_fatal only takes a string as parameter, >> I wonder if there is a facility to print the errno string I could use >> instead of __libc_fatal () ? >=20 > I also suspect we'd want to handle "EACCES" in a non-fatal way in case > it is returned by seccomp. The seccomp internals seems to allow a lot of > freedom in letting the seccomp filters choose the errno number. I'm actually wondering about "EPERM". Is it sometimes used by seccomp filters to refuse a system call ? Based on the rseq man page, EPERM should only be returned by rseq unregistration if the signature does not match. So I'm tempted to handle EPERM in a fatal way if we can assume seccomp filters always return EACCES when refusing a system call. Any input on this would be welcome. Thanks, Mathieu --=20 Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com