From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: keescook@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com
Cc: dsaxena@linaro.org, arndb@arndb.de,
linux-arm-kernel@lists.infradead.org,
linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org,
AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v6 6/6] arm64: add seccomp support
Date: Thu, 21 Aug 2014 17:56:45 +0900 [thread overview]
Message-ID: <1408611405-8943-7-git-send-email-takahiro.akashi@linaro.org> (raw)
In-Reply-To: <1408611405-8943-1-git-send-email-takahiro.akashi@linaro.org>
secure_computing() is called first in syscall_trace_enter() so that a system
call will be aborted quickly without doing succeeding syscall tracing,
contrary to other cases, if seccomp rules deny that system call.
On compat task, syscall numbers for system calls allowed in seccomp mode 1
are different from those on normal tasks, and so _NR_seccomp_xxx_32's need
to be redefined.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/ptrace.h | 1 +
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 2 ++
arch/arm64/kernel/ptrace.c | 5 +++++
6 files changed, 50 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fd4e81a..d6dc436 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -34,6 +34,7 @@ config ARM64
select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_C_RECORDMCOUNT
select HAVE_CC_STACKPROTECTOR
@@ -312,6 +313,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
source "mm/Kconfig"
+config SECCOMP
+ bool "Enable seccomp to safely compute untrusted bytecode"
+ ---help---
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
config XEN_DOM0
def_bool y
depends on XEN
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index a58cf62..a844d06 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -71,6 +71,7 @@
* with ptrace(PTRACE_SET_SYSCALL)
*/
#define RET_SKIP_SYSCALL -1
+#define RET_SKIP_SYSCALL_TRACE -2
#define IS_SKIP_SYSCALL(no) ((int)(no & 0xffffffff) == -1)
#ifndef __ASSEMBLY__
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32 __NR_compat_read
+#define __NR_seccomp_write_32 __NR_compat_write
+#define __NR_seccomp_exit_32 __NR_compat_exit
+#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index cf6ee31..7c73059 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
* Compat syscall numbers used by the AArch64 kernel.
*/
#define __NR_compat_restart_syscall 0
+#define __NR_compat_exit 1
+#define __NR_compat_read 3
+#define __NR_compat_write 4
#define __NR_compat_sigreturn 119
#define __NR_compat_rt_sigreturn 173
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index fdd6eae..d5eb447 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -672,6 +672,8 @@ ENDPROC(el0_svc)
__sys_trace:
mov x0, sp
bl syscall_trace_enter
+ cmp w0, #RET_SKIP_SYSCALL_TRACE // skip syscall and tracing?
+ b.eq ret_to_user
cmp w0, #RET_SKIP_SYSCALL // skip syscall?
b.eq __sys_trace_return_skipped
adr lr, __sys_trace_return // return address
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index c54dbcc..4287d68 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -27,6 +27,7 @@
#include <linux/smp.h>
#include <linux/ptrace.h>
#include <linux/user.h>
+#include <linux/seccomp.h>
#include <linux/security.h>
#include <linux/init.h>
#include <linux/signal.h>
@@ -1123,6 +1124,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
{
unsigned int saved_syscallno = regs->syscallno;
+ /* Do the secure computing check first; failures should be fast. */
+ if (secure_computing(regs->syscallno) == -1)
+ return RET_SKIP_SYSCALL_TRACE;
+
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
--
1.7.9.5
WARNING: multiple messages have this Message-ID (diff)
From: takahiro.akashi@linaro.org (AKASHI Takahiro)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v6 6/6] arm64: add seccomp support
Date: Thu, 21 Aug 2014 17:56:45 +0900 [thread overview]
Message-ID: <1408611405-8943-7-git-send-email-takahiro.akashi@linaro.org> (raw)
In-Reply-To: <1408611405-8943-1-git-send-email-takahiro.akashi@linaro.org>
secure_computing() is called first in syscall_trace_enter() so that a system
call will be aborted quickly without doing succeeding syscall tracing,
contrary to other cases, if seccomp rules deny that system call.
On compat task, syscall numbers for system calls allowed in seccomp mode 1
are different from those on normal tasks, and so _NR_seccomp_xxx_32's need
to be redefined.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/ptrace.h | 1 +
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 2 ++
arch/arm64/kernel/ptrace.c | 5 +++++
6 files changed, 50 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fd4e81a..d6dc436 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -34,6 +34,7 @@ config ARM64
select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_C_RECORDMCOUNT
select HAVE_CC_STACKPROTECTOR
@@ -312,6 +313,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
source "mm/Kconfig"
+config SECCOMP
+ bool "Enable seccomp to safely compute untrusted bytecode"
+ ---help---
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
config XEN_DOM0
def_bool y
depends on XEN
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index a58cf62..a844d06 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -71,6 +71,7 @@
* with ptrace(PTRACE_SET_SYSCALL)
*/
#define RET_SKIP_SYSCALL -1
+#define RET_SKIP_SYSCALL_TRACE -2
#define IS_SKIP_SYSCALL(no) ((int)(no & 0xffffffff) == -1)
#ifndef __ASSEMBLY__
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32 __NR_compat_read
+#define __NR_seccomp_write_32 __NR_compat_write
+#define __NR_seccomp_exit_32 __NR_compat_exit
+#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index cf6ee31..7c73059 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
* Compat syscall numbers used by the AArch64 kernel.
*/
#define __NR_compat_restart_syscall 0
+#define __NR_compat_exit 1
+#define __NR_compat_read 3
+#define __NR_compat_write 4
#define __NR_compat_sigreturn 119
#define __NR_compat_rt_sigreturn 173
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index fdd6eae..d5eb447 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -672,6 +672,8 @@ ENDPROC(el0_svc)
__sys_trace:
mov x0, sp
bl syscall_trace_enter
+ cmp w0, #RET_SKIP_SYSCALL_TRACE // skip syscall and tracing?
+ b.eq ret_to_user
cmp w0, #RET_SKIP_SYSCALL // skip syscall?
b.eq __sys_trace_return_skipped
adr lr, __sys_trace_return // return address
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index c54dbcc..4287d68 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -27,6 +27,7 @@
#include <linux/smp.h>
#include <linux/ptrace.h>
#include <linux/user.h>
+#include <linux/seccomp.h>
#include <linux/security.h>
#include <linux/init.h>
#include <linux/signal.h>
@@ -1123,6 +1124,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
{
unsigned int saved_syscallno = regs->syscallno;
+ /* Do the secure computing check first; failures should be fast. */
+ if (secure_computing(regs->syscallno) == -1)
+ return RET_SKIP_SYSCALL_TRACE;
+
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
--
1.7.9.5
next prev parent reply other threads:[~2014-08-21 8:58 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-21 8:56 [PATCH v6 0/6] arm64: add seccomp support AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 8:56 ` [PATCH v6 1/6] arm64: ptrace: add PTRACE_SET_SYSCALL AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 16:47 ` Kees Cook
2014-08-21 16:47 ` Kees Cook
2014-08-22 0:19 ` AKASHI Takahiro
2014-08-22 0:19 ` AKASHI Takahiro
2014-08-26 17:46 ` Will Deacon
2014-08-26 17:46 ` Will Deacon
2014-08-27 5:32 ` AKASHI Takahiro
2014-08-27 5:32 ` AKASHI Takahiro
2014-09-03 18:34 ` Kees Cook
2014-09-03 18:34 ` Kees Cook
2014-08-21 8:56 ` [PATCH v6 2/6] arm64: ptrace: allow tracer to skip a system call AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 17:08 ` Kees Cook
2014-08-21 17:08 ` Kees Cook
2014-08-22 0:35 ` AKASHI Takahiro
2014-08-22 0:35 ` AKASHI Takahiro
2014-08-26 17:51 ` Will Deacon
2014-08-26 17:51 ` Will Deacon
2014-08-27 5:55 ` AKASHI Takahiro
2014-08-27 5:55 ` AKASHI Takahiro
2014-09-01 11:37 ` Will Deacon
2014-09-01 11:37 ` Will Deacon
2014-09-02 7:58 ` AKASHI Takahiro
2014-09-02 7:58 ` AKASHI Takahiro
2014-09-01 11:47 ` Russell King - ARM Linux
2014-09-01 11:47 ` Russell King - ARM Linux
2014-09-02 8:47 ` AKASHI Takahiro
2014-09-02 8:47 ` AKASHI Takahiro
2014-09-02 9:16 ` Russell King - ARM Linux
2014-09-02 9:16 ` Russell King - ARM Linux
2014-09-02 9:31 ` Russell King - ARM Linux
2014-09-02 9:31 ` Russell King - ARM Linux
2014-09-05 10:08 ` AKASHI Takahiro
2014-09-05 10:08 ` AKASHI Takahiro
2014-10-01 11:08 ` AKASHI Takahiro
2014-10-01 11:08 ` AKASHI Takahiro
2014-10-03 15:23 ` Will Deacon
2014-10-03 15:23 ` Will Deacon
2014-10-06 8:04 ` AKASHI Takahiro
2014-10-06 8:04 ` AKASHI Takahiro
2014-08-21 8:56 ` [PATCH v6 3/6] asm-generic: add generic seccomp.h for secure computing mode 1 AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 17:51 ` Kees Cook
2014-08-21 17:51 ` Kees Cook
2014-08-22 0:38 ` AKASHI Takahiro
2014-08-22 0:38 ` AKASHI Takahiro
2014-08-21 8:56 ` [PATCH v6 4/6] arm64: add seccomp syscall for compat task AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 17:52 ` Kees Cook
2014-08-21 17:52 ` Kees Cook
2014-08-22 0:39 ` AKASHI Takahiro
2014-08-22 0:39 ` AKASHI Takahiro
2014-08-26 17:53 ` Will Deacon
2014-08-26 17:53 ` Will Deacon
2014-08-27 5:57 ` AKASHI Takahiro
2014-08-27 5:57 ` AKASHI Takahiro
2014-08-21 8:56 ` [PATCH v6 5/6] arm64: add SIGSYS siginfo " AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro
2014-08-21 17:54 ` Kees Cook
2014-08-21 17:54 ` Kees Cook
2014-08-22 0:44 ` AKASHI Takahiro
2014-08-22 0:44 ` AKASHI Takahiro
2014-08-26 17:55 ` Will Deacon
2014-08-26 17:55 ` Will Deacon
2014-08-27 5:58 ` AKASHI Takahiro
2014-08-27 5:58 ` AKASHI Takahiro
2014-08-21 8:56 ` AKASHI Takahiro [this message]
2014-08-21 8:56 ` [PATCH v6 6/6] arm64: add seccomp support AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1408611405-8943-7-git-send-email-takahiro.akashi@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=arndb@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=dsaxena@linaro.org \
--cc=keescook@chromium.org \
--cc=linaro-kernel@lists.linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.