From: Kees Cook <keescook@chromium.org>
To: James Morris <james.l.morris@oracle.com>
Cc: linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
Tyler Hicks <tyhicks@canonical.com>,
linux-security-module@vger.kernel.org
Subject: [GIT PULL] seccomp updates for next
Date: Tue, 15 Aug 2017 15:03:19 -0700 [thread overview]
Message-ID: <20170815220319.GA63342@beast> (raw)
Hi James,
Please pull these seccomp changes for next.
Thanks!
-Kees
The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:
Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next
for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90:
selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700)
----------------------------------------------------------------
Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors.
----------------------------------------------------------------
Kees Cook (8):
selftests/seccomp: Add tests for basic ptrace actions
selftests/seccomp: Add simple seccomp overhead benchmark
selftests/seccomp: Refactor RET_ERRNO tests
seccomp: Provide matching filter for introspection
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
seccomp: Introduce SECCOMP_RET_KILL_PROCESS
seccomp: Implement SECCOMP_RET_KILL_PROCESS action
selftests/seccomp: Test thread vs process killing
Tyler Hicks (6):
seccomp: Sysctl to display available actions
seccomp: Operation for checking if an action is available
seccomp: Sysctl to configure actions that are allowed to be logged
seccomp: Selftest for detection of filter flag support
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
seccomp: Action to log before allowing
Documentation/networking/filter.txt | 2 +-
Documentation/sysctl/kernel.txt | 1 +
Documentation/userspace-api/seccomp_filter.rst | 52 +-
include/linux/audit.h | 6 +-
include/linux/seccomp.h | 3 +-
include/uapi/linux/seccomp.h | 23 +-
kernel/seccomp.c | 321 ++++++++++-
samples/seccomp/bpf-direct.c | 4 +-
samples/seccomp/bpf-helper.h | 2 +-
tools/testing/selftests/seccomp/Makefile | 18 +-
.../testing/selftests/seccomp/seccomp_benchmark.c | 99 ++++
tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++++----
12 files changed, 1009 insertions(+), 132 deletions(-)
create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c
--
Kees Cook
Pixel Security
next reply other threads:[~2017-08-15 22:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 22:03 Kees Cook [this message]
2017-08-16 2:33 ` [GIT PULL] seccomp updates for next James Morris
-- strict thread matches above, loose matches on Subject: below --
2018-12-12 23:16 Kees Cook
2018-12-13 0:08 ` James Morris
2017-11-29 0:38 Kees Cook
2017-11-29 1:55 ` James Morris
2017-06-26 17:02 Kees Cook
2017-06-27 3:27 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170815220319.GA63342@beast \
--to=keescook@chromium.org \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).