From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.efficios.com (mail.efficios.com [167.114.26.124]) by sourceware.org (Postfix) with ESMTPS id 5B4D83898511 for ; Thu, 30 Apr 2020 19:59:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5B4D83898511 Received: from localhost (localhost [127.0.0.1]) by mail.efficios.com (Postfix) with ESMTP id 0CF092919EB; Thu, 30 Apr 2020 15:59:06 -0400 (EDT) Received: from mail.efficios.com ([127.0.0.1]) by localhost (mail03.efficios.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id DkHN7Rf3ELUf; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.efficios.com (Postfix) with ESMTP id B5EE4291FBA; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com B5EE4291FBA X-Virus-Scanned: amavisd-new at efficios.com Received: from mail.efficios.com ([127.0.0.1]) by localhost (mail03.efficios.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id I3IsS1amWD1U; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Received: from mail03.efficios.com (mail03.efficios.com [167.114.26.124]) by mail.efficios.com (Postfix) with ESMTP id ABC40291E7B; Thu, 30 Apr 2020 15:59:05 -0400 (EDT) Date: Thu, 30 Apr 2020 15:59:05 -0400 (EDT) From: Mathieu Desnoyers To: Florian Weimer Cc: carlos , Joseph Myers , Szabolcs Nagy , libc-alpha Message-ID: <1916849841.78543.1588276745582.JavaMail.zimbra@efficios.com> In-Reply-To: <625724399.78482.1588276415331.JavaMail.zimbra@efficios.com> References: <20200428171513.22926-1-mathieu.desnoyers@efficios.com> <878sidkk0z.fsf@oldenburg2.str.redhat.com> <1972833271.77975.1588265754974.JavaMail.zimbra@efficios.com> <874kt0lx6i.fsf@oldenburg2.str.redhat.com> <729499446.78182.1588267203324.JavaMail.zimbra@efficios.com> <87zhaskgsp.fsf@oldenburg2.str.redhat.com> <1904112038.78406.1588275546194.JavaMail.zimbra@efficios.com> <625724399.78482.1588276415331.JavaMail.zimbra@efficios.com> Subject: Re: [RFC PATCH glibc 1/3] glibc: Perform rseq(2) registration at C startup and thread creation (v18) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [167.114.26.124] X-Mailer: Zimbra 8.8.15_GA_3918 (ZimbraWebClient - FF75 (Linux)/8.8.15_GA_3895) Thread-Topic: glibc: Perform rseq(2) registration at C startup and thread creation (v18) Thread-Index: 6EyI1Wf26PYasEGkxyGnpXBYzwu+fShKqlbCQlMlKWc= X-Spam-Status: No, score=-14.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Apr 2020 19:59:07 -0000 ----- On Apr 30, 2020, at 3:53 PM, Mathieu Desnoyers mathieu.desnoyers@effi= cios.com wrote: > ----- On Apr 30, 2020, at 3:39 PM, Mathieu Desnoyers > mathieu.desnoyers@efficios.com wrote: >=20 >> ----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wro= te: >>=20 >>> * Mathieu Desnoyers: >>>=20 >>>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com w= rote: >>>> [...] >>>>> __libc_fatal does not attribute the error to glibc, so I suggest to >>>>> start the error messages with =E2=80=9Cglibc fatal error: =E2=80=9D, = so that people know >>>>> where to look. >>>> >>>> OK. Is there a strict requirement on limiting to 80 columns for code >>>> including an error message string in glibc ? IOW: >>>> >>>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>>> __libc_fatal ("glibc fatal error: rseq already initialized for thi= s thread\n"); >>>> >>>> or >>>> >>>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>>> __libc_fatal ("glibc fatal error: " >>>> "rseq already initialized for this thread\n"); >>>> >>>> ? >>>=20 >>> The latter, please. Some code also uses >>>=20 >>> if (__rseq_abi.cpu_id !=3D RSEQ_CPU_ID_UNINITIALIZED) >>> __libc_fatal ("\ >>> glibc fatal error: rseq already initialized for this thread\n"); >>>=20 >>> But that's not really my preference. >>>=20 >>> (Trimmed the Cc: list a bit, we are really down to glibc specifics at >>> this point.) >>=20 >> One last question with respect to handling of rseq errno values. We curr= ently >> have (based on my own rseq(2) man page, not upstream yet): >>=20 >> ERRORS >> EINVAL Either flags contains an invalid value, or rseq contains an= address which >> is not appropriately aligned, >> or rseq_len contains a size that does not match the size re= ceived on >> registration. >>=20 >> ENOSYS The rseq() system call is not implemented by this kernel. >>=20 >> EFAULT rseq is an invalid address. >>=20 >> EBUSY Restartable sequence is already registered for this thread. >>=20 >> EPERM The sig argument on unregistration does not match the signa= ture received >> on registration. >>=20 >> So with the current suggestions, we basically treat "EBUSY" as a __libc_= fatal >> (), >> which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM= ) as >> conditions which will just disable rseq for the thread by marking cpu_id= as >> RSEQ_CPU_ID_REGISTRATION_FAILED. >>=20 >> I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno= should >> IMHO >> really abort libc as well with an appropriate __libc_fatal () message, b= ecause >> something >> is clearly going wrong and we don't want to hide it under the carpet by = just >> disabling rseq support silently. >>=20 >> Also, I personally consider that adding an additional errno value >> to an existing system call for a given set of supported system call >> parameters is an ABI breakage, but I _know_ the Linux kernel community >> as a whole does not feel that way, and they are known to have pretty muc= h >> silently added additional errno values to existing system calls as long >> as nobody complains. >>=20 >> Considering this, I wonder if we should be strict and e.g. do: >>=20 >> const char *msg =3D NULL; >>=20 >> switch (INTERNAL_SYSCALL_ERRNO (ret)) >> { >> case ENOSYS: >> case EPERM: >> /* rseq system call is unavailable or not permitted. */ >> __rseq_abi.cpu_id =3D RSEQ_CPU_ID_REGISTRATION_FAILED; >> break; >> case EINVAL: >> msg =3D "glibc fatal error: rseq already registered for this thread\n= "; >> break; >> case EBUSY: >> msg =3D "glibc fatal error: rseq parameters are invalid"; >> case EFAULT: >> msg =3D "glibc fatal error: rseq is an invalid address"; >> break; >> default: >> msg =3D "glibc fatal error: unexpected rseq errno"; >> break; >> } >> if (msg) >> __libc_fatal (msg); >>=20 >> Also considering that __libc_fatal only takes a string as parameter, >> I wonder if there is a facility to print the errno string I could use >> instead of __libc_fatal () ? >=20 > I also suspect we'd want to handle "EACCES" in a non-fatal way in case > it is returned by seccomp. The seccomp internals seems to allow a lot of > freedom in letting the seccomp filters choose the errno number. I'm actually wondering about "EPERM". Is it sometimes used by seccomp filters to refuse a system call ? Based on the rseq man page, EPERM should only be returned by rseq unregistration if the signature does not match. So I'm tempted to handle EPERM in a fatal way if we can assume seccomp filters always return EACCES when refusing a system call. Any input on this would be welcome. Thanks, Mathieu --=20 Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com