From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Shawn Landden
<shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: [PATCH 1/4] prctl.2: document new seccomp options
Date: Sun, 5 Aug 2012 23:18:57 -0700 [thread overview]
Message-ID: <1344233940-2680-1-git-send-email-shawnlandden@gmail.com> (raw)
In-Reply-To: <1344113204-4294-3-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
the seccomp stuff requires
#include <linux/seccomp.h>
But I am not sure where/how to specify that.
---
man2/prctl.2 | 135 +++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 110 insertions(+), 25 deletions(-)
diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..5c829e7 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
.\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
.\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
.\" PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\" SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\" (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
.\"
.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
.\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
.\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
.SH NAME
prctl \- operations on a process
.SH SYNOPSIS
@@ -231,16 +234,53 @@ Return the current value of the parent process death signal,
in the location pointed to by
.IR "(int\ *) arg2" .
.TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+Takes a boolean argument as
+.IR arg2 .
+After being set, the process and all its children can never gain new privleges.
+Operations that grant new privileges (i.e. execve)
+will either fail or not grant them. This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (
+.BR setresuid (2) ,
+.BR capset (2) ,
+etc.) will still work. Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege. So, for example,
+asking selinux for a specific new context (e.g. with
+.BR runcon (1))
+will result
+in execve returning
+.BR EPERM .
+See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
.\" See http://thread.gmane.org/gmane.linux.kernel/542632
.\" [PATCH 0 of 2] seccomp updates
.\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR CONFIG_SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
.BR read (2),
.BR write (2),
.BR _exit (2),
@@ -249,24 +289,39 @@ and
Other system calls result in the delivery of a
.BR SIGKILL
signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.\" See https://lwn.net/Articles/475043/
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program in the format of
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+without the
+.BR CAP_SYS_ADMIN
+capability, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1. If
+.BR prctl (2)
+is allowed by the attached filter, additional filters may be attached.
+.RE
.TP
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
.BR prctl ()
call will cause a
.B SIGKILL
signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
.TP
.BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +606,7 @@ On success,
.BR PR_GET_TIMING ,
.BR PR_GET_SECUREBITS ,
.BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
and (if it returns)
.BR PR_GET_SECCOMP
return the nonnegative values described above.
@@ -562,6 +618,19 @@ On error, \-1 is returned, and
is set appropriately.
.SH ERRORS
.TP
+.B EACCES
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+the caller does not have the
+.BR CAP_SYS_ADMIN
+capability, and
+.BR PR_SET_NO_NEW_PRIVS
+has not been set as documented above.
+.TP
.B EFAULT
.I arg2
is an invalid address.
@@ -579,6 +648,10 @@ or
.BR PR_MCE_KILL_GET
or
.BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
and unused
.BR prctl ()
arguments were not specified as zero.
@@ -593,9 +666,15 @@ is not valid value for this
is
.BR PR_SET_SECCOMP
or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
and the kernel was not configured with
.BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
.TP
.B EINVAL
.I option
@@ -603,11 +682,6 @@ is
.BR PR_SET_MM ,
and one of the following is true
.RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
.IP *
.I arg3
is greater than
@@ -637,6 +711,17 @@ or specifies a value that would cause the
resource limit to be exceeded.
.RE
.TP
+.B EINVAL
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+and
+.I arg3
+is not a valid filter program.
+.TP
.B EPERM
.I option
is
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-08-06 6:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-04 20:46 [PATCH 1/3] prctl.2: document new seccomp options Shawn Landden
[not found] ` <1344113204-4294-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-04 20:46 ` [PATCH 2/3] prctl.2: document PR_GET_TIMESLACK and PR_SET_TIMESLACK Shawn Landden
2012-08-04 20:46 ` [PATCH 3/3] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment Shawn Landden
[not found] ` <1344113204-4294-3-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-04 21:24 ` shawn
2012-08-04 21:41 ` shawn
2012-08-06 6:18 ` Shawn Landden [this message]
[not found] ` <1344233940-2680-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-06 6:18 ` [PATCH 2/4] prctl.2: document PR_GET_TIMESLACK and PR_SET_TIMESLACK Shawn Landden
2012-08-06 6:18 ` [PATCH 3/4] prctl.2, proc.5: document arm alignment trap via /proc/apu/alignment Shawn Landden
2012-08-06 6:19 ` [PATCH 4/4] prctl.2: document PR_SET_PTRACER Shawn Landden
[not found] ` <1344233940-2680-4-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-09 19:09 ` [PATCH] prctl.2: PR_{SET,GET}_CHILD_SUBREAPER shawnlandden-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <50240ad3.6ae4440a.5977.ffffc0ce-ATjtLOhZ0NVl57MIdRCFDg@public.gmane.org>
2013-01-10 22:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkj3=v7uYEj7EBYnEbAJU6E_9Vh6Civn-VLWXsjJgJ=QSA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-11 12:22 ` Kay Sievers
2013-01-11 16:00 ` Lennart Poettering
[not found] ` <20130111160047.GA30380-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2013-02-06 18:33 ` Shawn Landden
[not found] ` <1360175589-3667-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-02-08 9:35 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiSDk87FwgRJ2BZmH+s-qvHk+4mg0jmxar1kMbSLSLUEw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-02-08 16:05 ` Lennart Poettering
[not found] ` <20130208160556.GB2902-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2013-02-08 20:10 ` Michael Kerrisk (man-pages)
2013-01-11 10:30 ` [PATCH 4/4] prctl.2: document PR_SET_PTRACER Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1344233940-2680-1-git-send-email-shawnlandden@gmail.com \
--to=shawnlandden-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.