linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: James Morris <james.l.morris@oracle.com>
Cc: linux-kernel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Tyler Hicks <tyhicks@canonical.com>,
	linux-security-module@vger.kernel.org
Subject: [GIT PULL] seccomp updates for next
Date: Tue, 15 Aug 2017 15:03:19 -0700	[thread overview]
Message-ID: <20170815220319.GA63342@beast> (raw)

Hi James,

Please pull these seccomp changes for next.

Thanks!

-Kees

The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:

  Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next

for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90:

  selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700)

----------------------------------------------------------------
Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors.

----------------------------------------------------------------
Kees Cook (8):
      selftests/seccomp: Add tests for basic ptrace actions
      selftests/seccomp: Add simple seccomp overhead benchmark
      selftests/seccomp: Refactor RET_ERRNO tests
      seccomp: Provide matching filter for introspection
      seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
      seccomp: Introduce SECCOMP_RET_KILL_PROCESS
      seccomp: Implement SECCOMP_RET_KILL_PROCESS action
      selftests/seccomp: Test thread vs process killing

Tyler Hicks (6):
      seccomp: Sysctl to display available actions
      seccomp: Operation for checking if an action is available
      seccomp: Sysctl to configure actions that are allowed to be logged
      seccomp: Selftest for detection of filter flag support
      seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
      seccomp: Action to log before allowing

 Documentation/networking/filter.txt                |   2 +-
 Documentation/sysctl/kernel.txt                    |   1 +
 Documentation/userspace-api/seccomp_filter.rst     |  52 +-
 include/linux/audit.h                              |   6 +-
 include/linux/seccomp.h                            |   3 +-
 include/uapi/linux/seccomp.h                       |  23 +-
 kernel/seccomp.c                                   | 321 ++++++++++-
 samples/seccomp/bpf-direct.c                       |   4 +-
 samples/seccomp/bpf-helper.h                       |   2 +-
 tools/testing/selftests/seccomp/Makefile           |  18 +-
 .../testing/selftests/seccomp/seccomp_benchmark.c  |  99 ++++
 tools/testing/selftests/seccomp/seccomp_bpf.c      | 610 +++++++++++++++++----
 12 files changed, 1009 insertions(+), 132 deletions(-)
 create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c

-- 
Kees Cook
Pixel Security

             reply	other threads:[~2017-08-15 22:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-15 22:03 Kees Cook [this message]
2017-08-16  2:33 ` [GIT PULL] seccomp updates for next James Morris
  -- strict thread matches above, loose matches on Subject: below --
2018-12-12 23:16 Kees Cook
2018-12-13  0:08 ` James Morris
2017-11-29  0:38 Kees Cook
2017-11-29  1:55 ` James Morris
2017-06-26 17:02 Kees Cook
2017-06-27  3:27 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170815220319.GA63342@beast \
    --to=keescook@chromium.org \
    --cc=james.l.morris@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=tyhicks@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).