[PATCH v4 0/3] powerpc: Enable seccomp filter support

[PATCH v4 0/3] powerpc: Enable seccomp filter support

[Bogdan Purcareata]

Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
architectures, and enable this support.

Testing has been pursued using libseccomp with the latest ppc support patches
[1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
also been tested, courtesy of Mike Strosaker.

[1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
[2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c

v4:
- rebased on top of 3.19

v3:
- keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled

v2:
- move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter

Bogdan Purcareata (3):
  powerpc: Don't force ENOSYS as error on syscall fail
  powerpc: Relax secure computing on syscall entry trace
  powerpc: Enable HAVE_ARCH_SECCOMP_FILTER

 arch/powerpc/Kconfig           | 1 +
 arch/powerpc/kernel/entry_32.S | 7 ++++++-
 arch/powerpc/kernel/entry_64.S | 5 +++--
 arch/powerpc/kernel/ptrace.c   | 8 ++++++--
 4 files changed, 16 insertions(+), 5 deletions(-)

-- 
2.1.4

[PATCH v4 0/3] powerpc: Enable seccomp filter support

[Bogdan Purcareata]

Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
architectures, and enable this support.

Testing has been pursued using libseccomp with the latest ppc support patches
[1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
also been tested, courtesy of Mike Strosaker.

[1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
[2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c

v4:
- rebased on top of 3.19

v3:
- keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled

v2:
- move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter

Bogdan Purcareata (3):
  powerpc: Don't force ENOSYS as error on syscall fail
  powerpc: Relax secure computing on syscall entry trace
  powerpc: Enable HAVE_ARCH_SECCOMP_FILTER

 arch/powerpc/Kconfig           | 1 +
 arch/powerpc/kernel/entry_32.S | 7 ++++++-
 arch/powerpc/kernel/entry_64.S | 5 +++--
 arch/powerpc/kernel/ptrace.c   | 8 ++++++--
 4 files changed, 16 insertions(+), 5 deletions(-)

-- 
2.1.4

[PATCH v4 1/3] powerpc: Don't force ENOSYS as error on syscall fail

[Bogdan Purcareata]

In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
the system call fails for other reasons than the syscall not being available.
The seccomp filter can be configured to store a user-defined error code on
return from a blacklisted syscall. Don't always set ENOSYS on
do_syscall_trace_enter failure.

Delegate setting ENOSYS in case of failure, where appropriate, to
do_syscall_trace_enter.

v4:
- update syscall_exit to be local label on 64bit, after rebasing on top of 3.19

v3:
- keep setting ENOSYS in the syscall entry assembly for scenarios without
  syscall tracing

v2:
- move setting ENOSYS as errno from the syscall entry assembly to
  do_syscall_trace_enter, only in the specific case

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/entry_32.S | 7 ++++++-
 arch/powerpc/kernel/entry_64.S | 5 +++--
 arch/powerpc/kernel/ptrace.c   | 4 +++-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index 46fc0f4..b2f88cd 100644
--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -333,12 +333,12 @@ _GLOBAL(DoSyscall)
 	lwz	r11,TI_FLAGS(r10)
 	andi.	r11,r11,_TIF_SYSCALL_DOTRACE
 	bne-	syscall_dotrace
-syscall_dotrace_cont:
 	cmplwi	0,r0,NR_syscalls
 	lis	r10,sys_call_table@h
 	ori	r10,r10,sys_call_table@l
 	slwi	r0,r0,2
 	bge-	66f
+syscall_dotrace_cont:
 	lwzx	r10,r10,r0	/* Fetch system call handler [ptr] */
 	mtlr	r10
 	addi	r9,r1,STACK_FRAME_OVERHEAD
@@ -457,6 +457,11 @@ syscall_dotrace:
 	lwz	r7,GPR7(r1)
 	lwz	r8,GPR8(r1)
 	REST_NVGPRS(r1)
+	cmplwi	0,r0,NR_syscalls
+	lis	r10,sys_call_table@h
+	ori	r10,r10,sys_call_table@l
+	slwi	r0,r0,2
+	bge-	ret_from_syscall
 	b	syscall_dotrace_cont
 
 syscall_exit_work:
diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index d180caf2..5e7434e 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -144,7 +144,6 @@ END_FW_FTR_SECTION_IFSET(FW_FEATURE_SPLPAR)
 	ld	r10,TI_FLAGS(r11)
 	andi.	r11,r10,_TIF_SYSCALL_DOTRACE
 	bne	syscall_dotrace
-.Lsyscall_dotrace_cont:
 	cmpldi	0,r0,NR_syscalls
 	bge-	syscall_enosys
 
@@ -253,7 +252,9 @@ syscall_dotrace:
 	addi	r9,r1,STACK_FRAME_OVERHEAD
 	CURRENT_THREAD_INFO(r10, r1)
 	ld	r10,TI_FLAGS(r10)
-	b	.Lsyscall_dotrace_cont
+	cmpldi	0,r0,NR_syscalls
+	bge-	.Lsyscall_exit
+	b	system_call
 
 syscall_enosys:
 	li	r3,-ENOSYS
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index f21897b..2edae06 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1775,13 +1775,15 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 	secure_computing_strict(regs->gpr[0]);
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
-	    tracehook_report_syscall_entry(regs))
+	    tracehook_report_syscall_entry(regs)) {
 		/*
 		 * Tracing decided this syscall should not happen.
 		 * We'll return a bogus call number to get an ENOSYS
 		 * error, but leave the original number in regs->gpr[0].
 		 */
 		ret = -1L;
+		syscall_set_return_value(current, regs, ENOSYS, 0);
+	}
 
 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 		trace_sys_enter(regs, regs->gpr[0]);
-- 
2.1.4

[PATCH v4 1/3] powerpc: Don't force ENOSYS as error on syscall fail

[Bogdan Purcareata]

In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
the system call fails for other reasons than the syscall not being available.
The seccomp filter can be configured to store a user-defined error code on
return from a blacklisted syscall. Don't always set ENOSYS on
do_syscall_trace_enter failure.

Delegate setting ENOSYS in case of failure, where appropriate, to
do_syscall_trace_enter.

v4:
- update syscall_exit to be local label on 64bit, after rebasing on top of 3.19

v3:
- keep setting ENOSYS in the syscall entry assembly for scenarios without
  syscall tracing

v2:
- move setting ENOSYS as errno from the syscall entry assembly to
  do_syscall_trace_enter, only in the specific case

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/entry_32.S | 7 ++++++-
 arch/powerpc/kernel/entry_64.S | 5 +++--
 arch/powerpc/kernel/ptrace.c   | 4 +++-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index 46fc0f4..b2f88cd 100644
--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -333,12 +333,12 @@ _GLOBAL(DoSyscall)
 	lwz	r11,TI_FLAGS(r10)
 	andi.	r11,r11,_TIF_SYSCALL_DOTRACE
 	bne-	syscall_dotrace
-syscall_dotrace_cont:
 	cmplwi	0,r0,NR_syscalls
 	lis	r10,sys_call_table@h
 	ori	r10,r10,sys_call_table@l
 	slwi	r0,r0,2
 	bge-	66f
+syscall_dotrace_cont:
 	lwzx	r10,r10,r0	/* Fetch system call handler [ptr] */
 	mtlr	r10
 	addi	r9,r1,STACK_FRAME_OVERHEAD
@@ -457,6 +457,11 @@ syscall_dotrace:
 	lwz	r7,GPR7(r1)
 	lwz	r8,GPR8(r1)
 	REST_NVGPRS(r1)
+	cmplwi	0,r0,NR_syscalls
+	lis	r10,sys_call_table@h
+	ori	r10,r10,sys_call_table@l
+	slwi	r0,r0,2
+	bge-	ret_from_syscall
 	b	syscall_dotrace_cont
 
 syscall_exit_work:
diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index d180caf2..5e7434e 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -144,7 +144,6 @@ END_FW_FTR_SECTION_IFSET(FW_FEATURE_SPLPAR)
 	ld	r10,TI_FLAGS(r11)
 	andi.	r11,r10,_TIF_SYSCALL_DOTRACE
 	bne	syscall_dotrace
-.Lsyscall_dotrace_cont:
 	cmpldi	0,r0,NR_syscalls
 	bge-	syscall_enosys
 
@@ -253,7 +252,9 @@ syscall_dotrace:
 	addi	r9,r1,STACK_FRAME_OVERHEAD
 	CURRENT_THREAD_INFO(r10, r1)
 	ld	r10,TI_FLAGS(r10)
-	b	.Lsyscall_dotrace_cont
+	cmpldi	0,r0,NR_syscalls
+	bge-	.Lsyscall_exit
+	b	system_call
 
 syscall_enosys:
 	li	r3,-ENOSYS
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index f21897b..2edae06 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1775,13 +1775,15 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 	secure_computing_strict(regs->gpr[0]);
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
-	    tracehook_report_syscall_entry(regs))
+	    tracehook_report_syscall_entry(regs)) {
 		/*
 		 * Tracing decided this syscall should not happen.
 		 * We'll return a bogus call number to get an ENOSYS
 		 * error, but leave the original number in regs->gpr[0].
 		 */
 		ret = -1L;
+		syscall_set_return_value(current, regs, ENOSYS, 0);
+	}
 
 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 		trace_sys_enter(regs, regs->gpr[0]);
-- 
2.1.4

[PATCH v4 2/3] powerpc: Relax secure computing on syscall entry trace

[Bogdan Purcareata]

The secure_computing_strict will just force the kernel to panic on
secure_computing failure. Once SECCOMP_FILTER support is enabled in the kernel,
syscalls can be denied without system failure.

v4:
- rebase on top of 3.19

v3,v2: no changes

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/ptrace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index 2edae06..cb9fd33 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1772,7 +1772,9 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 
 	user_exit();
 
-	secure_computing_strict(regs->gpr[0]);
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing() == -1)
+		return -1L;
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
 	    tracehook_report_syscall_entry(regs)) {
-- 
2.1.4

[PATCH v4 2/3] powerpc: Relax secure computing on syscall entry trace

[Bogdan Purcareata]

The secure_computing_strict will just force the kernel to panic on
secure_computing failure. Once SECCOMP_FILTER support is enabled in the kernel,
syscalls can be denied without system failure.

v4:
- rebase on top of 3.19

v3,v2: no changes

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/ptrace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index 2edae06..cb9fd33 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1772,7 +1772,9 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 
 	user_exit();
 
-	secure_computing_strict(regs->gpr[0]);
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing() == -1)
+		return -1L;
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
 	    tracehook_report_syscall_entry(regs)) {
-- 
2.1.4

[PATCH v4 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER

[Bogdan Purcareata]

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 22b0940..2588b57 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -104,6 +104,7 @@ config PPC
 	select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN
 	select HAVE_KPROBES
 	select HAVE_ARCH_KGDB
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_KRETPROBES
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_MEMBLOCK
-- 
2.1.4

[PATCH v4 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER

[Bogdan Purcareata]

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 22b0940..2588b57 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -104,6 +104,7 @@ config PPC
 	select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN
 	select HAVE_KPROBES
 	select HAVE_ARCH_KGDB
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_KRETPROBES
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_MEMBLOCK
-- 
2.1.4

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

Ping?

On 18.02.2015 10:16, Bogdan Purcareata wrote:
> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
> architectures, and enable this support.
>
> Testing has been pursued using libseccomp with the latest ppc support patches
> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
> also been tested, courtesy of Mike Strosaker.
>
> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>
> v4:
> - rebased on top of 3.19
>
> v3:
> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>
> v2:
> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>
> Bogdan Purcareata (3):
>    powerpc: Don't force ENOSYS as error on syscall fail
>    powerpc: Relax secure computing on syscall entry trace
>    powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>
>   arch/powerpc/Kconfig           | 1 +
>   arch/powerpc/kernel/entry_32.S | 7 ++++++-
>   arch/powerpc/kernel/entry_64.S | 5 +++--
>   arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>   4 files changed, 16 insertions(+), 5 deletions(-)
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

Ping?

On 18.02.2015 10:16, Bogdan Purcareata wrote:
> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
> architectures, and enable this support.
>
> Testing has been pursued using libseccomp with the latest ppc support patches
> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
> also been tested, courtesy of Mike Strosaker.
>
> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>
> v4:
> - rebased on top of 3.19
>
> v3:
> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>
> v2:
> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>
> Bogdan Purcareata (3):
>    powerpc: Don't force ENOSYS as error on syscall fail
>    powerpc: Relax secure computing on syscall entry trace
>    powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>
>   arch/powerpc/Kconfig           | 1 +
>   arch/powerpc/kernel/entry_32.S | 7 ++++++-
>   arch/powerpc/kernel/entry_64.S | 5 +++--
>   arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>   4 files changed, 16 insertions(+), 5 deletions(-)
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Benjamin Herrenschmidt]

On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
> Ping?

What is the ping for ?

Ben.

> On 18.02.2015 10:16, Bogdan Purcareata wrote:
> > Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
> > architectures, and enable this support.
> >
> > Testing has been pursued using libseccomp with the latest ppc support patches
> > [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
> > also been tested, courtesy of Mike Strosaker.
> >
> > [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
> > [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
> >
> > v4:
> > - rebased on top of 3.19
> >
> > v3:
> > - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
> >
> > v2:
> > - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
> >
> > Bogdan Purcareata (3):
> >    powerpc: Don't force ENOSYS as error on syscall fail
> >    powerpc: Relax secure computing on syscall entry trace
> >    powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
> >
> >   arch/powerpc/Kconfig           | 1 +
> >   arch/powerpc/kernel/entry_32.S | 7 ++++++-
> >   arch/powerpc/kernel/entry_64.S | 5 +++--
> >   arch/powerpc/kernel/ptrace.c   | 8 ++++++--
> >   4 files changed, 16 insertions(+), 5 deletions(-)
> >

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Benjamin Herrenschmidt]

On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
> Ping?

What is the ping for ?

Ben.

> On 18.02.2015 10:16, Bogdan Purcareata wrote:
> > Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
> > architectures, and enable this support.
> >
> > Testing has been pursued using libseccomp with the latest ppc support patches
> > [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
> > also been tested, courtesy of Mike Strosaker.
> >
> > [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
> > [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
> >
> > v4:
> > - rebased on top of 3.19
> >
> > v3:
> > - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
> >
> > v2:
> > - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
> >
> > Bogdan Purcareata (3):
> >    powerpc: Don't force ENOSYS as error on syscall fail
> >    powerpc: Relax secure computing on syscall entry trace
> >    powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
> >
> >   arch/powerpc/Kconfig           | 1 +
> >   arch/powerpc/kernel/entry_32.S | 7 ++++++-
> >   arch/powerpc/kernel/entry_64.S | 5 +++--
> >   arch/powerpc/kernel/ptrace.c   | 8 ++++++--
> >   4 files changed, 16 insertions(+), 5 deletions(-)
> >

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
>> Ping?
>
> What is the ping for ?
>
> Ben.

Making sure the patches are not lost on the mailing lists :) Didn't 
receive any feedback on v4 and just wanted to check if there's anything 
more I can do.

Thank you,
Bogdan P.

>> On 18.02.2015 10:16, Bogdan Purcareata wrote:
>>> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
>>> architectures, and enable this support.
>>>
>>> Testing has been pursued using libseccomp with the latest ppc support patches
>>> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
>>> also been tested, courtesy of Mike Strosaker.
>>>
>>> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
>>> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>>>
>>> v4:
>>> - rebased on top of 3.19
>>>
>>> v3:
>>> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>>>
>>> v2:
>>> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>>>
>>> Bogdan Purcareata (3):
>>>     powerpc: Don't force ENOSYS as error on syscall fail
>>>     powerpc: Relax secure computing on syscall entry trace
>>>     powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>>>
>>>    arch/powerpc/Kconfig           | 1 +
>>>    arch/powerpc/kernel/entry_32.S | 7 ++++++-
>>>    arch/powerpc/kernel/entry_64.S | 5 +++--
>>>    arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>>>    4 files changed, 16 insertions(+), 5 deletions(-)
>>>
>
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
>> Ping?
>
> What is the ping for ?
>
> Ben.

Making sure the patches are not lost on the mailing lists :) Didn't 
receive any feedback on v4 and just wanted to check if there's anything 
more I can do.

Thank you,
Bogdan P.

>> On 18.02.2015 10:16, Bogdan Purcareata wrote:
>>> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
>>> architectures, and enable this support.
>>>
>>> Testing has been pursued using libseccomp with the latest ppc support patches
>>> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
>>> also been tested, courtesy of Mike Strosaker.
>>>
>>> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
>>> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>>>
>>> v4:
>>> - rebased on top of 3.19
>>>
>>> v3:
>>> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>>>
>>> v2:
>>> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>>>
>>> Bogdan Purcareata (3):
>>>     powerpc: Don't force ENOSYS as error on syscall fail
>>>     powerpc: Relax secure computing on syscall entry trace
>>>     powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>>>
>>>    arch/powerpc/Kconfig           | 1 +
>>>    arch/powerpc/kernel/entry_32.S | 7 ++++++-
>>>    arch/powerpc/kernel/entry_64.S | 5 +++--
>>>    arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>>>    4 files changed, 16 insertions(+), 5 deletions(-)
>>>
>
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
>> Ping?
>
> What is the ping for ?
>
> Ben.

Hello Ben,

I just wanted to check with you what's the current status of these 
patches. I noticed in patchwork [1][2][3] that the patches are marked as 
non-applicable.

As of today, I cloned Michael Ellerman's tree [4], applied the patches 
on the master branch, compiled and tested. Tests pass both with the 
libseccomp regression suite and my LXC tests.

Is there a specific tree I should send them against, or on another 
mailing list? Is there any other reason the patches are not applicable?

[1] https://patchwork.ozlabs.org/patch/440827/
[2] https://patchwork.ozlabs.org/patch/440828/
[3] https://patchwork.ozlabs.org/patch/440829/
[4] git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux.git

Thank you,
Bogdan P.

>> On 18.02.2015 10:16, Bogdan Purcareata wrote:
>>> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
>>> architectures, and enable this support.
>>>
>>> Testing has been pursued using libseccomp with the latest ppc support patches
>>> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
>>> also been tested, courtesy of Mike Strosaker.
>>>
>>> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
>>> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>>>
>>> v4:
>>> - rebased on top of 3.19
>>>
>>> v3:
>>> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>>>
>>> v2:
>>> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>>>
>>> Bogdan Purcareata (3):
>>>     powerpc: Don't force ENOSYS as error on syscall fail
>>>     powerpc: Relax secure computing on syscall entry trace
>>>     powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>>>
>>>    arch/powerpc/Kconfig           | 1 +
>>>    arch/powerpc/kernel/entry_32.S | 7 ++++++-
>>>    arch/powerpc/kernel/entry_64.S | 5 +++--
>>>    arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>>>    4 files changed, 16 insertions(+), 5 deletions(-)
>>>
>
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Purcareata Bogdan]

On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
>> Ping?
>
> What is the ping for ?
>
> Ben.

Hello Ben,

I just wanted to check with you what's the current status of these 
patches. I noticed in patchwork [1][2][3] that the patches are marked as 
non-applicable.

As of today, I cloned Michael Ellerman's tree [4], applied the patches 
on the master branch, compiled and tested. Tests pass both with the 
libseccomp regression suite and my LXC tests.

Is there a specific tree I should send them against, or on another 
mailing list? Is there any other reason the patches are not applicable?

[1] https://patchwork.ozlabs.org/patch/440827/
[2] https://patchwork.ozlabs.org/patch/440828/
[3] https://patchwork.ozlabs.org/patch/440829/
[4] git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux.git

Thank you,
Bogdan P.

>> On 18.02.2015 10:16, Bogdan Purcareata wrote:
>>> Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
>>> architectures, and enable this support.
>>>
>>> Testing has been pursued using libseccomp with the latest ppc support patches
>>> [1][2], on Freescale platforms for both ppc and ppc64. Support on ppc64le has
>>> also been tested, courtesy of Mike Strosaker.
>>>
>>> [1] https://groups.google.com/forum/#!topic/libseccomp/oz42LfMDsxg
>>> [2] https://groups.google.com/forum/#!topic/libseccomp/TQWfCt_nD7c
>>>
>>> v4:
>>> - rebased on top of 3.19
>>>
>>> v3:
>>> - keep setting ENOSYS in syscall entry assembly when syscall tracing is disabled
>>>
>>> v2:
>>> - move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter
>>>
>>> Bogdan Purcareata (3):
>>>     powerpc: Don't force ENOSYS as error on syscall fail
>>>     powerpc: Relax secure computing on syscall entry trace
>>>     powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
>>>
>>>    arch/powerpc/Kconfig           | 1 +
>>>    arch/powerpc/kernel/entry_32.S | 7 ++++++-
>>>    arch/powerpc/kernel/entry_64.S | 5 +++--
>>>    arch/powerpc/kernel/ptrace.c   | 8 ++++++--
>>>    4 files changed, 16 insertions(+), 5 deletions(-)
>>>
>
>

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Michael Ellerman]

On Mon, 2015-03-23 at 13:44 +0200, Purcareata Bogdan wrote:
> On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> > On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
> >> Ping?
> >
> > What is the ping for ?
> >
> > Ben.
> 
> Hello Ben,
> 
> I just wanted to check with you what's the current status of these 
> patches. I noticed in patchwork [1][2][3] that the patches are marked as 
> non-applicable.
> 
> As of today, I cloned Michael Ellerman's tree [4], applied the patches 
> on the master branch, compiled and tested. Tests pass both with the 
> libseccomp regression suite and my LXC tests.
> 
> Is there a specific tree I should send them against, or on another 
> mailing list? Is there any other reason the patches are not applicable?

I just haven't had time to review them properly.

Because you're touching the syscall path for all powerpc platforms it needs
more scrutiny than the average patch.

It should still make 4.1, probably :)

cheers

Re: [PATCH v4 0/3] powerpc: Enable seccomp filter support

[Michael Ellerman]

On Mon, 2015-03-23 at 13:44 +0200, Purcareata Bogdan wrote:
> On 27.02.2015 22:54, Benjamin Herrenschmidt wrote:
> > On Fri, 2015-02-27 at 09:28 +0200, Purcareata Bogdan wrote:
> >> Ping?
> >
> > What is the ping for ?
> >
> > Ben.
> 
> Hello Ben,
> 
> I just wanted to check with you what's the current status of these 
> patches. I noticed in patchwork [1][2][3] that the patches are marked as 
> non-applicable.
> 
> As of today, I cloned Michael Ellerman's tree [4], applied the patches 
> on the master branch, compiled and tested. Tests pass both with the 
> libseccomp regression suite and my LXC tests.
> 
> Is there a specific tree I should send them against, or on another 
> mailing list? Is there any other reason the patches are not applicable?

I just haven't had time to review them properly.

Because you're touching the syscall path for all powerpc platforms it needs
more scrutiny than the average patch.

It should still make 4.1, probably :)

cheers