* [PATCH 00/14] run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King There has been a long-standing (and documented) issue with seccomp where ptrace can be used to change a syscall out from under seccomp. This is a problem for containers and other wider seccomp filtered environments where ptrace needs to remain available, as it allows for an escape of the seccomp filter. Since the ptrace attack surface is available for any allowed syscall, moving seccomp after ptrace doesn't increase the actually available attack surface. And this actually improves tracing since, for example, tracers will be notified of syscall entry before seccomp sends a SIGSYS, which makes debugging filters much easier. The per-architecture changes do make one (hopefully small) semantic change, which is that since ptrace comes first, it may request a syscall be skipped. Running seccomp after this doesn't make sense, so if ptrace wants to skip a syscall, it will bail out early similarly to how seccomp was. This means that skipped syscalls will not be fed through audit, though that likely means we're actually avoiding noise this way. This series first cleans up seccomp to remove the now unneeded two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the ptrace hole above), and then reorders seccomp after ptrace on each architecture. Thanks, -Kees ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 00/14] run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel There has been a long-standing (and documented) issue with seccomp where ptrace can be used to change a syscall out from under seccomp. This is a problem for containers and other wider seccomp filtered environments where ptrace needs to remain available, as it allows for an escape of the seccomp filter. Since the ptrace attack surface is available for any allowed syscall, moving seccomp after ptrace doesn't increase the actually available attack surface. And this actually improves tracing since, for example, tracers will be notified of syscall entry before seccomp sends a SIGSYS, which makes debugging filters much easier. The per-architecture changes do make one (hopefully small) semantic change, which is that since ptrace comes first, it may request a syscall be skipped. Running seccomp after this doesn't make sense, so if ptrace wants to skip a syscall, it will bail out early similarly to how seccomp was. This means that skipped syscalls will not be fed through audit, though that likely means we're actually avoiding noise this way. This series first cleans up seccomp to remove the now unneeded two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the ptrace hole above), and then reorders seccomp after ptrace on each architecture. Thanks, -Kees ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 00/14] run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King There has been a long-standing (and documented) issue with seccomp where ptrace can be used to change a syscall out from under seccomp. This is a problem for containers and other wider seccomp filtered environments where ptrace needs to remain available, as it allows for an escape of the seccomp filter. Since the ptrace attack surface is available for any allowed syscall, moving seccomp after ptrace doesn't increase the actually available attack surface. And this actually improves tracing since, for example, tracers will be notified of syscall entry before seccomp sends a SIGSYS, which makes debugging filters much easier. The per-architecture changes do make one (hopefully small) semantic change, which is that since ptrace comes first, it may request a syscall be skipped. Running seccomp after this doesn't make sense, so if ptrace wants to skip a syscall, it will bail out early similarly to how seccomp was. This means that skipped syscalls will not be fed through audit, though that likely means we're actually avoiding noise this way. This series first cleans up seccomp to remove the now unneeded two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the ptrace hole above), and then reorders seccomp after ptrace on each architecture. Thanks, -Kees ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 00/14] run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 There has been a long-standing (and documented) issue with seccomp where ptrace can be used to change a syscall out from under seccomp. This is a problem for containers and other wider seccomp filtered environments where ptrace needs to remain available, as it allows for an escape of the seccomp filter. Since the ptrace attack surface is available for any allowed syscall, moving seccomp after ptrace doesn't increase the actually available attack surface. And this actually improves tracing since, for example, tracers will be notified of syscall entry before seccomp sends a SIGSYS, which makes debugging filters much easier. The per-architecture changes do make one (hopefully small) semantic change, which is that since ptrace comes first, it may request a syscall be skipped. Running seccomp after this doesn't make sense, so if ptrace wants to skip a syscall, it will bail out early similarly to how seccomp was. This means that skipped syscalls will not be fed through audit, though that likely means we're actually avoiding noise this way. This series first cleans up seccomp to remove the now unneeded two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the ptrace hole above), and then reorders seccomp after ptrace on each architecture. Thanks, -Kees ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 01/14] seccomp: add tests for ptrace hole 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 176 ++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2e58549b2f02..03f1fa495d74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1021,8 +1021,8 @@ void tracer_stop(int sig) typedef void tracer_func_t(struct __test_metadata *_metadata, pid_t tracee, int status, void *args); -void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, - tracer_func_t tracer_func, void *args) +void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, + tracer_func_t tracer_func, void *args, bool ptrace_syscall) { int ret = -1; struct sigaction action = { @@ -1042,12 +1042,16 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Wait for attach stop */ wait(NULL); - ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP); + ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? + PTRACE_O_TRACESYSGOOD : + PTRACE_O_TRACESECCOMP); ASSERT_EQ(0, ret) { TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); kill(tracee, SIGKILL); } - ptrace(PTRACE_CONT, tracee, NULL, 0); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); + ASSERT_EQ(0, ret); /* Unblock the tracee */ ASSERT_EQ(1, write(fd, "A", 1)); @@ -1063,12 +1067,13 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Child is dead. Time to go. */ return; - /* Make sure this is a seccomp event. */ - ASSERT_EQ(true, IS_SECCOMP_EVENT(status)); + /* Check if this is a seccomp event. */ + ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); tracer_func(_metadata, tracee, status, args); - ret = ptrace(PTRACE_CONT, tracee, NULL, NULL); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); ASSERT_EQ(0, ret); } /* Directly report the status of our test harness results. */ @@ -1079,7 +1084,7 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, void cont_handler(int num) { } pid_t setup_trace_fixture(struct __test_metadata *_metadata, - tracer_func_t func, void *args) + tracer_func_t func, void *args, bool ptrace_syscall) { char sync; int pipefd[2]; @@ -1095,7 +1100,8 @@ pid_t setup_trace_fixture(struct __test_metadata *_metadata, signal(SIGALRM, cont_handler); if (tracer_pid == 0) { close(pipefd[0]); - tracer(_metadata, pipefd[1], tracee, func, args); + start_tracer(_metadata, pipefd[1], tracee, func, args, + ptrace_syscall); syscall(__NR_exit, 0); } close(pipefd[1]); @@ -1177,7 +1183,7 @@ FIXTURE_SETUP(TRACE_poke) /* Launch tracer. */ self->tracer = setup_trace_fixture(_metadata, tracer_poke, - &self->tracer_args); + &self->tracer_args, false); } FIXTURE_TEARDOWN(TRACE_poke) @@ -1399,6 +1405,29 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, } +void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, + int status, void *args) +{ + int ret, nr; + unsigned long msg; + static bool entry; + + /* Make sure we got an empty message. */ + ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); + EXPECT_EQ(0, ret); + EXPECT_EQ(0, msg); + + /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ + entry = !entry; + if (!entry) + return; + + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) + change_syscall(_metadata, tracee, __NR_getppid); +} + FIXTURE_DATA(TRACE_syscall) { struct sock_fprog prog; pid_t tracer, mytid, mypid, parent; @@ -1440,7 +1469,8 @@ FIXTURE_SETUP(TRACE_syscall) ASSERT_NE(self->parent, self->mypid); /* Launch tracer. */ - self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL); + self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, + false); } FIXTURE_TEARDOWN(TRACE_syscall) @@ -1500,6 +1530,130 @@ TEST_F(TRACE_syscall, syscall_dropped) EXPECT_NE(self->mytid, syscall(__NR_gettid)); } +TEST_F(TRACE_syscall, skip_after_RET_TRACE) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + +TEST_F(TRACE_syscall, skip_after_ptrace) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + #ifndef __NR_seccomp # if defined(__i386__) # define __NR_seccomp 354 -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 01/14] seccomp: add tests for ptrace hole @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Kees Cook, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Chris Metcalf, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 176 ++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2e58549b2f02..03f1fa495d74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1021,8 +1021,8 @@ void tracer_stop(int sig) typedef void tracer_func_t(struct __test_metadata *_metadata, pid_t tracee, int status, void *args); -void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, - tracer_func_t tracer_func, void *args) +void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, + tracer_func_t tracer_func, void *args, bool ptrace_syscall) { int ret = -1; struct sigaction action = { @@ -1042,12 +1042,16 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Wait for attach stop */ wait(NULL); - ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP); + ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? + PTRACE_O_TRACESYSGOOD : + PTRACE_O_TRACESECCOMP); ASSERT_EQ(0, ret) { TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); kill(tracee, SIGKILL); } - ptrace(PTRACE_CONT, tracee, NULL, 0); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); + ASSERT_EQ(0, ret); /* Unblock the tracee */ ASSERT_EQ(1, write(fd, "A", 1)); @@ -1063,12 +1067,13 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Child is dead. Time to go. */ return; - /* Make sure this is a seccomp event. */ - ASSERT_EQ(true, IS_SECCOMP_EVENT(status)); + /* Check if this is a seccomp event. */ + ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); tracer_func(_metadata, tracee, status, args); - ret = ptrace(PTRACE_CONT, tracee, NULL, NULL); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); ASSERT_EQ(0, ret); } /* Directly report the status of our test harness results. */ @@ -1079,7 +1084,7 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, void cont_handler(int num) { } pid_t setup_trace_fixture(struct __test_metadata *_metadata, - tracer_func_t func, void *args) + tracer_func_t func, void *args, bool ptrace_syscall) { char sync; int pipefd[2]; @@ -1095,7 +1100,8 @@ pid_t setup_trace_fixture(struct __test_metadata *_metadata, signal(SIGALRM, cont_handler); if (tracer_pid == 0) { close(pipefd[0]); - tracer(_metadata, pipefd[1], tracee, func, args); + start_tracer(_metadata, pipefd[1], tracee, func, args, + ptrace_syscall); syscall(__NR_exit, 0); } close(pipefd[1]); @@ -1177,7 +1183,7 @@ FIXTURE_SETUP(TRACE_poke) /* Launch tracer. */ self->tracer = setup_trace_fixture(_metadata, tracer_poke, - &self->tracer_args); + &self->tracer_args, false); } FIXTURE_TEARDOWN(TRACE_poke) @@ -1399,6 +1405,29 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, } +void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, + int status, void *args) +{ + int ret, nr; + unsigned long msg; + static bool entry; + + /* Make sure we got an empty message. */ + ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); + EXPECT_EQ(0, ret); + EXPECT_EQ(0, msg); + + /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ + entry = !entry; + if (!entry) + return; + + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) + change_syscall(_metadata, tracee, __NR_getppid); +} + FIXTURE_DATA(TRACE_syscall) { struct sock_fprog prog; pid_t tracer, mytid, mypid, parent; @@ -1440,7 +1469,8 @@ FIXTURE_SETUP(TRACE_syscall) ASSERT_NE(self->parent, self->mypid); /* Launch tracer. */ - self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL); + self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, + false); } FIXTURE_TEARDOWN(TRACE_syscall) @@ -1500,6 +1530,130 @@ TEST_F(TRACE_syscall, syscall_dropped) EXPECT_NE(self->mytid, syscall(__NR_gettid)); } +TEST_F(TRACE_syscall, skip_after_RET_TRACE) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + +TEST_F(TRACE_syscall, skip_after_ptrace) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + #ifndef __NR_seccomp # if defined(__i386__) # define __NR_seccomp 354 -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 01/14] seccomp: add tests for ptrace hole @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 176 ++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2e58549b2f02..03f1fa495d74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1021,8 +1021,8 @@ void tracer_stop(int sig) typedef void tracer_func_t(struct __test_metadata *_metadata, pid_t tracee, int status, void *args); -void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, - tracer_func_t tracer_func, void *args) +void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, + tracer_func_t tracer_func, void *args, bool ptrace_syscall) { int ret = -1; struct sigaction action = { @@ -1042,12 +1042,16 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Wait for attach stop */ wait(NULL); - ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP); + ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? + PTRACE_O_TRACESYSGOOD : + PTRACE_O_TRACESECCOMP); ASSERT_EQ(0, ret) { TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); kill(tracee, SIGKILL); } - ptrace(PTRACE_CONT, tracee, NULL, 0); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); + ASSERT_EQ(0, ret); /* Unblock the tracee */ ASSERT_EQ(1, write(fd, "A", 1)); @@ -1063,12 +1067,13 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Child is dead. Time to go. */ return; - /* Make sure this is a seccomp event. */ - ASSERT_EQ(true, IS_SECCOMP_EVENT(status)); + /* Check if this is a seccomp event. */ + ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); tracer_func(_metadata, tracee, status, args); - ret = ptrace(PTRACE_CONT, tracee, NULL, NULL); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); ASSERT_EQ(0, ret); } /* Directly report the status of our test harness results. */ @@ -1079,7 +1084,7 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, void cont_handler(int num) { } pid_t setup_trace_fixture(struct __test_metadata *_metadata, - tracer_func_t func, void *args) + tracer_func_t func, void *args, bool ptrace_syscall) { char sync; int pipefd[2]; @@ -1095,7 +1100,8 @@ pid_t setup_trace_fixture(struct __test_metadata *_metadata, signal(SIGALRM, cont_handler); if (tracer_pid == 0) { close(pipefd[0]); - tracer(_metadata, pipefd[1], tracee, func, args); + start_tracer(_metadata, pipefd[1], tracee, func, args, + ptrace_syscall); syscall(__NR_exit, 0); } close(pipefd[1]); @@ -1177,7 +1183,7 @@ FIXTURE_SETUP(TRACE_poke) /* Launch tracer. */ self->tracer = setup_trace_fixture(_metadata, tracer_poke, - &self->tracer_args); + &self->tracer_args, false); } FIXTURE_TEARDOWN(TRACE_poke) @@ -1399,6 +1405,29 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, } +void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, + int status, void *args) +{ + int ret, nr; + unsigned long msg; + static bool entry; + + /* Make sure we got an empty message. */ + ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); + EXPECT_EQ(0, ret); + EXPECT_EQ(0, msg); + + /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ + entry = !entry; + if (!entry) + return; + + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) + change_syscall(_metadata, tracee, __NR_getppid); +} + FIXTURE_DATA(TRACE_syscall) { struct sock_fprog prog; pid_t tracer, mytid, mypid, parent; @@ -1440,7 +1469,8 @@ FIXTURE_SETUP(TRACE_syscall) ASSERT_NE(self->parent, self->mypid); /* Launch tracer. */ - self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL); + self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, + false); } FIXTURE_TEARDOWN(TRACE_syscall) @@ -1500,6 +1530,130 @@ TEST_F(TRACE_syscall, syscall_dropped) EXPECT_NE(self->mytid, syscall(__NR_gettid)); } +TEST_F(TRACE_syscall, skip_after_RET_TRACE) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + +TEST_F(TRACE_syscall, skip_after_ptrace) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + #ifndef __NR_seccomp # if defined(__i386__) # define __NR_seccomp 354 -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 01/14] seccomp: add tests for ptrace hole @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 176 ++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2e58549b2f02..03f1fa495d74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1021,8 +1021,8 @@ void tracer_stop(int sig) typedef void tracer_func_t(struct __test_metadata *_metadata, pid_t tracee, int status, void *args); -void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, - tracer_func_t tracer_func, void *args) +void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, + tracer_func_t tracer_func, void *args, bool ptrace_syscall) { int ret = -1; struct sigaction action = { @@ -1042,12 +1042,16 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Wait for attach stop */ wait(NULL); - ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP); + ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? + PTRACE_O_TRACESYSGOOD : + PTRACE_O_TRACESECCOMP); ASSERT_EQ(0, ret) { TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); kill(tracee, SIGKILL); } - ptrace(PTRACE_CONT, tracee, NULL, 0); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); + ASSERT_EQ(0, ret); /* Unblock the tracee */ ASSERT_EQ(1, write(fd, "A", 1)); @@ -1063,12 +1067,13 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Child is dead. Time to go. */ return; - /* Make sure this is a seccomp event. */ - ASSERT_EQ(true, IS_SECCOMP_EVENT(status)); + /* Check if this is a seccomp event. */ + ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); tracer_func(_metadata, tracee, status, args); - ret = ptrace(PTRACE_CONT, tracee, NULL, NULL); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); ASSERT_EQ(0, ret); } /* Directly report the status of our test harness results. */ @@ -1079,7 +1084,7 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, void cont_handler(int num) { } pid_t setup_trace_fixture(struct __test_metadata *_metadata, - tracer_func_t func, void *args) + tracer_func_t func, void *args, bool ptrace_syscall) { char sync; int pipefd[2]; @@ -1095,7 +1100,8 @@ pid_t setup_trace_fixture(struct __test_metadata *_metadata, signal(SIGALRM, cont_handler); if (tracer_pid == 0) { close(pipefd[0]); - tracer(_metadata, pipefd[1], tracee, func, args); + start_tracer(_metadata, pipefd[1], tracee, func, args, + ptrace_syscall); syscall(__NR_exit, 0); } close(pipefd[1]); @@ -1177,7 +1183,7 @@ FIXTURE_SETUP(TRACE_poke) /* Launch tracer. */ self->tracer = setup_trace_fixture(_metadata, tracer_poke, - &self->tracer_args); + &self->tracer_args, false); } FIXTURE_TEARDOWN(TRACE_poke) @@ -1399,6 +1405,29 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, } +void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, + int status, void *args) +{ + int ret, nr; + unsigned long msg; + static bool entry; + + /* Make sure we got an empty message. */ + ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); + EXPECT_EQ(0, ret); + EXPECT_EQ(0, msg); + + /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ + entry = !entry; + if (!entry) + return; + + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) + change_syscall(_metadata, tracee, __NR_getppid); +} + FIXTURE_DATA(TRACE_syscall) { struct sock_fprog prog; pid_t tracer, mytid, mypid, parent; @@ -1440,7 +1469,8 @@ FIXTURE_SETUP(TRACE_syscall) ASSERT_NE(self->parent, self->mypid); /* Launch tracer. */ - self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL); + self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, + false); } FIXTURE_TEARDOWN(TRACE_syscall) @@ -1500,6 +1530,130 @@ TEST_F(TRACE_syscall, syscall_dropped) EXPECT_NE(self->mytid, syscall(__NR_gettid)); } +TEST_F(TRACE_syscall, skip_after_RET_TRACE) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + +TEST_F(TRACE_syscall, skip_after_ptrace) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + #ifndef __NR_seccomp # if defined(__i386__) # define __NR_seccomp 354 -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 01/14] seccomp: add tests for ptrace hole @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 176 ++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2e58549b2f02..03f1fa495d74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1021,8 +1021,8 @@ void tracer_stop(int sig) typedef void tracer_func_t(struct __test_metadata *_metadata, pid_t tracee, int status, void *args); -void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, - tracer_func_t tracer_func, void *args) +void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, + tracer_func_t tracer_func, void *args, bool ptrace_syscall) { int ret = -1; struct sigaction action = { @@ -1042,12 +1042,16 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Wait for attach stop */ wait(NULL); - ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP); + ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? + PTRACE_O_TRACESYSGOOD : + PTRACE_O_TRACESECCOMP); ASSERT_EQ(0, ret) { TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); kill(tracee, SIGKILL); } - ptrace(PTRACE_CONT, tracee, NULL, 0); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); + ASSERT_EQ(0, ret); /* Unblock the tracee */ ASSERT_EQ(1, write(fd, "A", 1)); @@ -1063,12 +1067,13 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, /* Child is dead. Time to go. */ return; - /* Make sure this is a seccomp event. */ - ASSERT_EQ(true, IS_SECCOMP_EVENT(status)); + /* Check if this is a seccomp event. */ + ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); tracer_func(_metadata, tracee, status, args); - ret = ptrace(PTRACE_CONT, tracee, NULL, NULL); + ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, + tracee, NULL, 0); ASSERT_EQ(0, ret); } /* Directly report the status of our test harness results. */ @@ -1079,7 +1084,7 @@ void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, void cont_handler(int num) { } pid_t setup_trace_fixture(struct __test_metadata *_metadata, - tracer_func_t func, void *args) + tracer_func_t func, void *args, bool ptrace_syscall) { char sync; int pipefd[2]; @@ -1095,7 +1100,8 @@ pid_t setup_trace_fixture(struct __test_metadata *_metadata, signal(SIGALRM, cont_handler); if (tracer_pid == 0) { close(pipefd[0]); - tracer(_metadata, pipefd[1], tracee, func, args); + start_tracer(_metadata, pipefd[1], tracee, func, args, + ptrace_syscall); syscall(__NR_exit, 0); } close(pipefd[1]); @@ -1177,7 +1183,7 @@ FIXTURE_SETUP(TRACE_poke) /* Launch tracer. */ self->tracer = setup_trace_fixture(_metadata, tracer_poke, - &self->tracer_args); + &self->tracer_args, false); } FIXTURE_TEARDOWN(TRACE_poke) @@ -1399,6 +1405,29 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, } +void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, + int status, void *args) +{ + int ret, nr; + unsigned long msg; + static bool entry; + + /* Make sure we got an empty message. */ + ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); + EXPECT_EQ(0, ret); + EXPECT_EQ(0, msg); + + /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ + entry = !entry; + if (!entry) + return; + + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) + change_syscall(_metadata, tracee, __NR_getppid); +} + FIXTURE_DATA(TRACE_syscall) { struct sock_fprog prog; pid_t tracer, mytid, mypid, parent; @@ -1440,7 +1469,8 @@ FIXTURE_SETUP(TRACE_syscall) ASSERT_NE(self->parent, self->mypid); /* Launch tracer. */ - self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL); + self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, + false); } FIXTURE_TEARDOWN(TRACE_syscall) @@ -1500,6 +1530,130 @@ TEST_F(TRACE_syscall, syscall_dropped) EXPECT_NE(self->mytid, syscall(__NR_gettid)); } +TEST_F(TRACE_syscall, skip_after_RET_TRACE) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install fixture filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + +TEST_F(TRACE_syscall, skip_after_ptrace) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "errno on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should see EPERM. */ + EXPECT_EQ(-1, syscall(__NR_getpid)); + EXPECT_EQ(EPERM, errno); +} + +TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, + offsetof(struct seccomp_data, nr)), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + /* Install "death on getppid" filter. */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + /* Tracer will redirect getpid to getppid, and we should die. */ + EXPECT_NE(self->mypid, syscall(__NR_getpid)); +} + #ifndef __NR_seccomp # if defined(__i386__) # define __NR_seccomp 354 -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, linux-arch, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras From: Andy Lutomirski <luto@kernel.org> Currently, if arch code wants to supply seccomp_data directly to seccomp (which is generally much faster than having seccomp do it using the syscall_get_xyz() API), it has to use the two-phase seccomp hooks. Add it to the easy hooks, too. Cc: linux-arch@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptrace.c | 2 +- arch/powerpc/kernel/ptrace.c | 2 +- arch/s390/kernel/ptrace.c | 2 +- arch/tile/kernel/ptrace.c | 2 +- arch/um/kernel/skas/syscall.c | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- include/linux/seccomp.h | 8 ++++---- kernel/seccomp.c | 4 ++-- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ef9119f7462e..ad5e90ab165c 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -934,7 +934,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) /* Do the secure computing check first; failures should be fast. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3f6cd5c5234f..6e2cf046615d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1247,7 +1247,7 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE)) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 0dcf69194473..c50af846ecf9 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -893,7 +893,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) current_thread_info()->syscall = syscall; - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index b5458b37fc5b..8edc47c0b98e 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -312,7 +312,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 30a03c03fe73..ed799e994773 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1783,7 +1783,7 @@ static int do_seccomp(struct pt_regs *regs) * have already loaded -ENOSYS into r3, or seccomp has put * something else in r3 (via SECCOMP_RET_ERRNO/TRACE). */ - if (__secure_computing()) + if (__secure_computing(NULL)) return -1; /* diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 49b1c13bf6c9..c238e9958c2a 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -824,7 +824,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) long ret = 0; /* Do the secure computing check first. */ - if (secure_computing()) { + if (secure_computing(NULL)) { /* seccomp failures shouldn't expose any additional code. */ ret = -1; goto out; diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 54e7b723db99..8c6d2f2fefa3 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,7 +255,7 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (work & _TIF_SYSCALL_TRACE) { diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 48b0dcbd87be..9c5570f0f397 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -21,7 +21,7 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return; if (syscall_trace_enter(regs)) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 174c2549939d..85acde5fa442 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -207,7 +207,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) */ regs->orig_ax = syscall_nr; regs->ax = -ENOSYS; - tmp = secure_computing(); + tmp = secure_computing(NULL); if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) { warn_bad_vsyscall(KERN_DEBUG, regs, "seccomp tried to change syscall nr or ip"); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 2296e6b2f690..9eaa7b34d6da 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -28,11 +28,11 @@ struct seccomp { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -extern int __secure_computing(void); -static inline int secure_computing(void) +extern int __secure_computing(const struct seccomp_data *sd); +static inline int secure_computing(const struct seccomp_data *sd) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - return __secure_computing(); + return __secure_computing(sd); return 0; } @@ -61,7 +61,7 @@ struct seccomp { }; struct seccomp_filter { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -static inline int secure_computing(void) { return 0; } +static inline int secure_computing(struct seccomp_data *sd) { return 0; } #else static inline void secure_computing_strict(int this_syscall) { return; } #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7002796f14a4..06816290a212 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -554,9 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(void) +int __secure_computing(const struct seccomp_data *sd) { - u32 phase1_result = seccomp_phase1(NULL); + u32 phase1_result = seccomp_phase1(sd); if (likely(phase1_result == SECCOMP_PHASE1_OK)) return 0; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Kees Cook, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Chris Metcalf, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev From: Andy Lutomirski <luto@kernel.org> Currently, if arch code wants to supply seccomp_data directly to seccomp (which is generally much faster than having seccomp do it using the syscall_get_xyz() API), it has to use the two-phase seccomp hooks. Add it to the easy hooks, too. Cc: linux-arch@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptrace.c | 2 +- arch/powerpc/kernel/ptrace.c | 2 +- arch/s390/kernel/ptrace.c | 2 +- arch/tile/kernel/ptrace.c | 2 +- arch/um/kernel/skas/syscall.c | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- include/linux/seccomp.h | 8 ++++---- kernel/seccomp.c | 4 ++-- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ef9119f7462e..ad5e90ab165c 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -934,7 +934,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) /* Do the secure computing check first; failures should be fast. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3f6cd5c5234f..6e2cf046615d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1247,7 +1247,7 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE)) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 0dcf69194473..c50af846ecf9 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -893,7 +893,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) current_thread_info()->syscall = syscall; - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index b5458b37fc5b..8edc47c0b98e 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -312,7 +312,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 30a03c03fe73..ed799e994773 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1783,7 +1783,7 @@ static int do_seccomp(struct pt_regs *regs) * have already loaded -ENOSYS into r3, or seccomp has put * something else in r3 (via SECCOMP_RET_ERRNO/TRACE). */ - if (__secure_computing()) + if (__secure_computing(NULL)) return -1; /* diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 49b1c13bf6c9..c238e9958c2a 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -824,7 +824,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) long ret = 0; /* Do the secure computing check first. */ - if (secure_computing()) { + if (secure_computing(NULL)) { /* seccomp failures shouldn't expose any additional code. */ ret = -1; goto out; diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 54e7b723db99..8c6d2f2fefa3 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,7 +255,7 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (work & _TIF_SYSCALL_TRACE) { diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 48b0dcbd87be..9c5570f0f397 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -21,7 +21,7 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return; if (syscall_trace_enter(regs)) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 174c2549939d..85acde5fa442 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -207,7 +207,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) */ regs->orig_ax = syscall_nr; regs->ax = -ENOSYS; - tmp = secure_computing(); + tmp = secure_computing(NULL); if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) { warn_bad_vsyscall(KERN_DEBUG, regs, "seccomp tried to change syscall nr or ip"); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 2296e6b2f690..9eaa7b34d6da 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -28,11 +28,11 @@ struct seccomp { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -extern int __secure_computing(void); -static inline int secure_computing(void) +extern int __secure_computing(const struct seccomp_data *sd); +static inline int secure_computing(const struct seccomp_data *sd) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - return __secure_computing(); + return __secure_computing(sd); return 0; } @@ -61,7 +61,7 @@ struct seccomp { }; struct seccomp_filter { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -static inline int secure_computing(void) { return 0; } +static inline int secure_computing(struct seccomp_data *sd) { return 0; } #else static inline void secure_computing_strict(int this_syscall) { return; } #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7002796f14a4..06816290a212 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -554,9 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(void) +int __secure_computing(const struct seccomp_data *sd) { - u32 phase1_result = seccomp_phase1(NULL); + u32 phase1_result = seccomp_phase1(sd); if (likely(phase1_result == SECCOMP_PHASE1_OK)) return 0; -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel From: Andy Lutomirski <luto@kernel.org> Currently, if arch code wants to supply seccomp_data directly to seccomp (which is generally much faster than having seccomp do it using the syscall_get_xyz() API), it has to use the two-phase seccomp hooks. Add it to the easy hooks, too. Cc: linux-arch at vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptrace.c | 2 +- arch/powerpc/kernel/ptrace.c | 2 +- arch/s390/kernel/ptrace.c | 2 +- arch/tile/kernel/ptrace.c | 2 +- arch/um/kernel/skas/syscall.c | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- include/linux/seccomp.h | 8 ++++---- kernel/seccomp.c | 4 ++-- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ef9119f7462e..ad5e90ab165c 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -934,7 +934,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) /* Do the secure computing check first; failures should be fast. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3f6cd5c5234f..6e2cf046615d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1247,7 +1247,7 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE)) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 0dcf69194473..c50af846ecf9 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -893,7 +893,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) current_thread_info()->syscall = syscall; - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index b5458b37fc5b..8edc47c0b98e 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -312,7 +312,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 30a03c03fe73..ed799e994773 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1783,7 +1783,7 @@ static int do_seccomp(struct pt_regs *regs) * have already loaded -ENOSYS into r3, or seccomp has put * something else in r3 (via SECCOMP_RET_ERRNO/TRACE). */ - if (__secure_computing()) + if (__secure_computing(NULL)) return -1; /* diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 49b1c13bf6c9..c238e9958c2a 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -824,7 +824,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) long ret = 0; /* Do the secure computing check first. */ - if (secure_computing()) { + if (secure_computing(NULL)) { /* seccomp failures shouldn't expose any additional code. */ ret = -1; goto out; diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 54e7b723db99..8c6d2f2fefa3 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,7 +255,7 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (work & _TIF_SYSCALL_TRACE) { diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 48b0dcbd87be..9c5570f0f397 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -21,7 +21,7 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return; if (syscall_trace_enter(regs)) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 174c2549939d..85acde5fa442 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -207,7 +207,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) */ regs->orig_ax = syscall_nr; regs->ax = -ENOSYS; - tmp = secure_computing(); + tmp = secure_computing(NULL); if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) { warn_bad_vsyscall(KERN_DEBUG, regs, "seccomp tried to change syscall nr or ip"); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 2296e6b2f690..9eaa7b34d6da 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -28,11 +28,11 @@ struct seccomp { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -extern int __secure_computing(void); -static inline int secure_computing(void) +extern int __secure_computing(const struct seccomp_data *sd); +static inline int secure_computing(const struct seccomp_data *sd) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - return __secure_computing(); + return __secure_computing(sd); return 0; } @@ -61,7 +61,7 @@ struct seccomp { }; struct seccomp_filter { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -static inline int secure_computing(void) { return 0; } +static inline int secure_computing(struct seccomp_data *sd) { return 0; } #else static inline void secure_computing_strict(int this_syscall) { return; } #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7002796f14a4..06816290a212 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -554,9 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(void) +int __secure_computing(const struct seccomp_data *sd) { - u32 phase1_result = seccomp_phase1(NULL); + u32 phase1_result = seccomp_phase1(sd); if (likely(phase1_result == SECCOMP_PHASE1_OK)) return 0; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, linux-arch, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras From: Andy Lutomirski <luto@kernel.org> Currently, if arch code wants to supply seccomp_data directly to seccomp (which is generally much faster than having seccomp do it using the syscall_get_xyz() API), it has to use the two-phase seccomp hooks. Add it to the easy hooks, too. Cc: linux-arch@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptrace.c | 2 +- arch/powerpc/kernel/ptrace.c | 2 +- arch/s390/kernel/ptrace.c | 2 +- arch/tile/kernel/ptrace.c | 2 +- arch/um/kernel/skas/syscall.c | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- include/linux/seccomp.h | 8 ++++---- kernel/seccomp.c | 4 ++-- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ef9119f7462e..ad5e90ab165c 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -934,7 +934,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) /* Do the secure computing check first; failures should be fast. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3f6cd5c5234f..6e2cf046615d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1247,7 +1247,7 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE)) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 0dcf69194473..c50af846ecf9 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -893,7 +893,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) current_thread_info()->syscall = syscall; - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index b5458b37fc5b..8edc47c0b98e 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -312,7 +312,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 30a03c03fe73..ed799e994773 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1783,7 +1783,7 @@ static int do_seccomp(struct pt_regs *regs) * have already loaded -ENOSYS into r3, or seccomp has put * something else in r3 (via SECCOMP_RET_ERRNO/TRACE). */ - if (__secure_computing()) + if (__secure_computing(NULL)) return -1; /* diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 49b1c13bf6c9..c238e9958c2a 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -824,7 +824,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) long ret = 0; /* Do the secure computing check first. */ - if (secure_computing()) { + if (secure_computing(NULL)) { /* seccomp failures shouldn't expose any additional code. */ ret = -1; goto out; diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 54e7b723db99..8c6d2f2fefa3 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,7 +255,7 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (work & _TIF_SYSCALL_TRACE) { diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 48b0dcbd87be..9c5570f0f397 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -21,7 +21,7 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return; if (syscall_trace_enter(regs)) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 174c2549939d..85acde5fa442 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -207,7 +207,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) */ regs->orig_ax = syscall_nr; regs->ax = -ENOSYS; - tmp = secure_computing(); + tmp = secure_computing(NULL); if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) { warn_bad_vsyscall(KERN_DEBUG, regs, "seccomp tried to change syscall nr or ip"); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 2296e6b2f690..9eaa7b34d6da 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -28,11 +28,11 @@ struct seccomp { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -extern int __secure_computing(void); -static inline int secure_computing(void) +extern int __secure_computing(const struct seccomp_data *sd); +static inline int secure_computing(const struct seccomp_data *sd) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - return __secure_computing(); + return __secure_computing(sd); return 0; } @@ -61,7 +61,7 @@ struct seccomp { }; struct seccomp_filter { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -static inline int secure_computing(void) { return 0; } +static inline int secure_computing(struct seccomp_data *sd) { return 0; } #else static inline void secure_computing_strict(int this_syscall) { return; } #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7002796f14a4..06816290a212 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -554,9 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(void) +int __secure_computing(const struct seccomp_data *sd) { - u32 phase1_result = seccomp_phase1(NULL); + u32 phase1_result = seccomp_phase1(sd); if (likely(phase1_result == SECCOMP_PHASE1_OK)) return 0; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, linux-arch, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 From: Andy Lutomirski <luto@kernel.org> Currently, if arch code wants to supply seccomp_data directly to seccomp (which is generally much faster than having seccomp do it using the syscall_get_xyz() API), it has to use the two-phase seccomp hooks. Add it to the easy hooks, too. Cc: linux-arch@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptrace.c | 2 +- arch/powerpc/kernel/ptrace.c | 2 +- arch/s390/kernel/ptrace.c | 2 +- arch/tile/kernel/ptrace.c | 2 +- arch/um/kernel/skas/syscall.c | 2 +- arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- include/linux/seccomp.h | 8 ++++---- kernel/seccomp.c | 4 ++-- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ef9119f7462e..ad5e90ab165c 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -934,7 +934,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) /* Do the secure computing check first; failures should be fast. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3f6cd5c5234f..6e2cf046615d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1247,7 +1247,7 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE)) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 0dcf69194473..c50af846ecf9 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -893,7 +893,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) current_thread_info()->syscall = syscall; - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index b5458b37fc5b..8edc47c0b98e 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -312,7 +312,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { /* Do the secure computing check first. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (test_thread_flag(TIF_SYSCALL_TRACE) && diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 30a03c03fe73..ed799e994773 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1783,7 +1783,7 @@ static int do_seccomp(struct pt_regs *regs) * have already loaded -ENOSYS into r3, or seccomp has put * something else in r3 (via SECCOMP_RET_ERRNO/TRACE). */ - if (__secure_computing()) + if (__secure_computing(NULL)) return -1; /* diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 49b1c13bf6c9..c238e9958c2a 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -824,7 +824,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) long ret = 0; /* Do the secure computing check first. */ - if (secure_computing()) { + if (secure_computing(NULL)) { /* seccomp failures shouldn't expose any additional code. */ ret = -1; goto out; diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 54e7b723db99..8c6d2f2fefa3 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,7 +255,7 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return -1; if (work & _TIF_SYSCALL_TRACE) { diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 48b0dcbd87be..9c5570f0f397 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -21,7 +21,7 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); /* Do the secure computing check first; failures should be fast. */ - if (secure_computing() == -1) + if (secure_computing(NULL) == -1) return; if (syscall_trace_enter(regs)) diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index 174c2549939d..85acde5fa442 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -207,7 +207,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) */ regs->orig_ax = syscall_nr; regs->ax = -ENOSYS; - tmp = secure_computing(); + tmp = secure_computing(NULL); if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) { warn_bad_vsyscall(KERN_DEBUG, regs, "seccomp tried to change syscall nr or ip"); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 2296e6b2f690..9eaa7b34d6da 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -28,11 +28,11 @@ struct seccomp { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -extern int __secure_computing(void); -static inline int secure_computing(void) +extern int __secure_computing(const struct seccomp_data *sd); +static inline int secure_computing(const struct seccomp_data *sd) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - return __secure_computing(); + return __secure_computing(sd); return 0; } @@ -61,7 +61,7 @@ struct seccomp { }; struct seccomp_filter { }; #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER -static inline int secure_computing(void) { return 0; } +static inline int secure_computing(struct seccomp_data *sd) { return 0; } #else static inline void secure_computing_strict(int this_syscall) { return; } #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7002796f14a4..06816290a212 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -554,9 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(void) +int __secure_computing(const struct seccomp_data *sd) { - u32 phase1_result = seccomp_phase1(NULL); + u32 phase1_result = seccomp_phase1(sd); if (likely(phase1_result == SECCOMP_PHASE1_OK)) return 0; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King From: Andy Lutomirski <luto@kernel.org> I added two-phase syscall entry work back when the entry slow path was very slow. Nowadays, the entry slow path is fast and two-phase entry work serves no purpose. Remove it. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/entry/common.c | 84 +++++-------------------------------------- arch/x86/include/asm/ptrace.h | 6 ---- 2 files changed, 8 insertions(+), 82 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index ec138e538c44..df56ca394877 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -64,20 +64,13 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) } /* - * We can return 0 to resume the syscall or anything else to go to phase - * 2. If we resume the syscall, we need to put something appropriate in - * regs->orig_ax. - * - * NB: We don't have full pt_regs here, but regs->orig_ax and regs->ax - * are fully functional. - * - * For phase 2's benefit, our return value is: - * 0: resume the syscall - * 1: go to phase 2; no seccomp phase 2 needed - * anything else: go to phase 2; pass return value to seccomp + * Returns the syscall nr to run (which should match regs->orig_ax) or -1 + * to skip the syscall. */ -unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) +static long syscall_trace_enter(struct pt_regs *regs) { + u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; + struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; u32 work; @@ -118,59 +111,9 @@ unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) sd.args[5] = regs->bp; } - BUILD_BUG_ON(SECCOMP_PHASE1_OK != 0); - BUILD_BUG_ON(SECCOMP_PHASE1_SKIP != 1); - - ret = seccomp_phase1(&sd); - if (ret == SECCOMP_PHASE1_SKIP) { - regs->orig_ax = -1; - ret = 0; - } else if (ret != SECCOMP_PHASE1_OK) { - return ret; /* Go directly to phase 2 */ - } - - work &= ~_TIF_SECCOMP; - } -#endif - - /* Do our best to finish without phase 2. */ - if (work == 0) - return ret; /* seccomp and/or nohz only (ret == 0 here) */ - -#ifdef CONFIG_AUDITSYSCALL - if (work == _TIF_SYSCALL_AUDIT) { - /* - * If there is no more work to be done except auditing, - * then audit in phase 1. Phase 2 always audits, so, if - * we audit here, then we can't go on to phase 2. - */ - do_audit_syscall_entry(regs, arch); - return 0; - } -#endif - - return 1; /* Something is enabled that we can't handle in phase 1 */ -} - -/* Returns the syscall nr to run (which should match regs->orig_ax). */ -long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, - unsigned long phase1_result) -{ - struct thread_info *ti = pt_regs_to_thread_info(regs); - long ret = 0; - u32 work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; - - if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) - BUG_ON(regs != task_pt_regs(current)); - -#ifdef CONFIG_SECCOMP - /* - * Call seccomp_phase2 before running the other hooks so that - * they can see any changes made by a seccomp tracer. - */ - if (phase1_result > 1 && seccomp_phase2(phase1_result)) { - /* seccomp failures shouldn't expose any additional code. */ - return -1; + ret = __secure_computing(&sd); + if (ret == -1) + return ret; } #endif @@ -189,17 +132,6 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, return ret ?: regs->orig_ax; } -long syscall_trace_enter(struct pt_regs *regs) -{ - u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; - unsigned long phase1_result = syscall_trace_enter_phase1(regs, arch); - - if (phase1_result == 0) - return regs->orig_ax; - else - return syscall_trace_enter_phase2(regs, arch, phase1_result); -} - #define EXIT_TO_USERMODE_LOOP_FLAGS \ (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \ _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 6271281f947d..2b5d686ea9f3 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -83,12 +83,6 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code, int si_code); -extern unsigned long syscall_trace_enter_phase1(struct pt_regs *, u32 arch); -extern long syscall_trace_enter_phase2(struct pt_regs *, u32 arch, - unsigned long phase1_result); - -extern long syscall_trace_enter(struct pt_regs *); - static inline unsigned long regs_return_value(struct pt_regs *regs) { return regs->ax; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel From: Andy Lutomirski <luto@kernel.org> I added two-phase syscall entry work back when the entry slow path was very slow. Nowadays, the entry slow path is fast and two-phase entry work serves no purpose. Remove it. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/entry/common.c | 84 +++++-------------------------------------- arch/x86/include/asm/ptrace.h | 6 ---- 2 files changed, 8 insertions(+), 82 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index ec138e538c44..df56ca394877 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -64,20 +64,13 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) } /* - * We can return 0 to resume the syscall or anything else to go to phase - * 2. If we resume the syscall, we need to put something appropriate in - * regs->orig_ax. - * - * NB: We don't have full pt_regs here, but regs->orig_ax and regs->ax - * are fully functional. - * - * For phase 2's benefit, our return value is: - * 0: resume the syscall - * 1: go to phase 2; no seccomp phase 2 needed - * anything else: go to phase 2; pass return value to seccomp + * Returns the syscall nr to run (which should match regs->orig_ax) or -1 + * to skip the syscall. */ -unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) +static long syscall_trace_enter(struct pt_regs *regs) { + u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; + struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; u32 work; @@ -118,59 +111,9 @@ unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) sd.args[5] = regs->bp; } - BUILD_BUG_ON(SECCOMP_PHASE1_OK != 0); - BUILD_BUG_ON(SECCOMP_PHASE1_SKIP != 1); - - ret = seccomp_phase1(&sd); - if (ret == SECCOMP_PHASE1_SKIP) { - regs->orig_ax = -1; - ret = 0; - } else if (ret != SECCOMP_PHASE1_OK) { - return ret; /* Go directly to phase 2 */ - } - - work &= ~_TIF_SECCOMP; - } -#endif - - /* Do our best to finish without phase 2. */ - if (work == 0) - return ret; /* seccomp and/or nohz only (ret == 0 here) */ - -#ifdef CONFIG_AUDITSYSCALL - if (work == _TIF_SYSCALL_AUDIT) { - /* - * If there is no more work to be done except auditing, - * then audit in phase 1. Phase 2 always audits, so, if - * we audit here, then we can't go on to phase 2. - */ - do_audit_syscall_entry(regs, arch); - return 0; - } -#endif - - return 1; /* Something is enabled that we can't handle in phase 1 */ -} - -/* Returns the syscall nr to run (which should match regs->orig_ax). */ -long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, - unsigned long phase1_result) -{ - struct thread_info *ti = pt_regs_to_thread_info(regs); - long ret = 0; - u32 work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; - - if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) - BUG_ON(regs != task_pt_regs(current)); - -#ifdef CONFIG_SECCOMP - /* - * Call seccomp_phase2 before running the other hooks so that - * they can see any changes made by a seccomp tracer. - */ - if (phase1_result > 1 && seccomp_phase2(phase1_result)) { - /* seccomp failures shouldn't expose any additional code. */ - return -1; + ret = __secure_computing(&sd); + if (ret == -1) + return ret; } #endif @@ -189,17 +132,6 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, return ret ?: regs->orig_ax; } -long syscall_trace_enter(struct pt_regs *regs) -{ - u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; - unsigned long phase1_result = syscall_trace_enter_phase1(regs, arch); - - if (phase1_result == 0) - return regs->orig_ax; - else - return syscall_trace_enter_phase2(regs, arch, phase1_result); -} - #define EXIT_TO_USERMODE_LOOP_FLAGS \ (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \ _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 6271281f947d..2b5d686ea9f3 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -83,12 +83,6 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code, int si_code); -extern unsigned long syscall_trace_enter_phase1(struct pt_regs *, u32 arch); -extern long syscall_trace_enter_phase2(struct pt_regs *, u32 arch, - unsigned long phase1_result); - -extern long syscall_trace_enter(struct pt_regs *); - static inline unsigned long regs_return_value(struct pt_regs *regs) { return regs->ax; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King From: Andy Lutomirski <luto@kernel.org> I added two-phase syscall entry work back when the entry slow path was very slow. Nowadays, the entry slow path is fast and two-phase entry work serves no purpose. Remove it. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/entry/common.c | 84 +++++-------------------------------------- arch/x86/include/asm/ptrace.h | 6 ---- 2 files changed, 8 insertions(+), 82 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index ec138e538c44..df56ca394877 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -64,20 +64,13 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) } /* - * We can return 0 to resume the syscall or anything else to go to phase - * 2. If we resume the syscall, we need to put something appropriate in - * regs->orig_ax. - * - * NB: We don't have full pt_regs here, but regs->orig_ax and regs->ax - * are fully functional. - * - * For phase 2's benefit, our return value is: - * 0: resume the syscall - * 1: go to phase 2; no seccomp phase 2 needed - * anything else: go to phase 2; pass return value to seccomp + * Returns the syscall nr to run (which should match regs->orig_ax) or -1 + * to skip the syscall. */ -unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) +static long syscall_trace_enter(struct pt_regs *regs) { + u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; + struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; u32 work; @@ -118,59 +111,9 @@ unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) sd.args[5] = regs->bp; } - BUILD_BUG_ON(SECCOMP_PHASE1_OK != 0); - BUILD_BUG_ON(SECCOMP_PHASE1_SKIP != 1); - - ret = seccomp_phase1(&sd); - if (ret == SECCOMP_PHASE1_SKIP) { - regs->orig_ax = -1; - ret = 0; - } else if (ret != SECCOMP_PHASE1_OK) { - return ret; /* Go directly to phase 2 */ - } - - work &= ~_TIF_SECCOMP; - } -#endif - - /* Do our best to finish without phase 2. */ - if (work == 0) - return ret; /* seccomp and/or nohz only (ret == 0 here) */ - -#ifdef CONFIG_AUDITSYSCALL - if (work == _TIF_SYSCALL_AUDIT) { - /* - * If there is no more work to be done except auditing, - * then audit in phase 1. Phase 2 always audits, so, if - * we audit here, then we can't go on to phase 2. - */ - do_audit_syscall_entry(regs, arch); - return 0; - } -#endif - - return 1; /* Something is enabled that we can't handle in phase 1 */ -} - -/* Returns the syscall nr to run (which should match regs->orig_ax). */ -long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, - unsigned long phase1_result) -{ - struct thread_info *ti = pt_regs_to_thread_info(regs); - long ret = 0; - u32 work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; - - if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) - BUG_ON(regs != task_pt_regs(current)); - -#ifdef CONFIG_SECCOMP - /* - * Call seccomp_phase2 before running the other hooks so that - * they can see any changes made by a seccomp tracer. - */ - if (phase1_result > 1 && seccomp_phase2(phase1_result)) { - /* seccomp failures shouldn't expose any additional code. */ - return -1; + ret = __secure_computing(&sd); + if (ret == -1) + return ret; } #endif @@ -189,17 +132,6 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, return ret ?: regs->orig_ax; } -long syscall_trace_enter(struct pt_regs *regs) -{ - u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; - unsigned long phase1_result = syscall_trace_enter_phase1(regs, arch); - - if (phase1_result == 0) - return regs->orig_ax; - else - return syscall_trace_enter_phase2(regs, arch, phase1_result); -} - #define EXIT_TO_USERMODE_LOOP_FLAGS \ (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \ _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 6271281f947d..2b5d686ea9f3 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -83,12 +83,6 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code, int si_code); -extern unsigned long syscall_trace_enter_phase1(struct pt_regs *, u32 arch); -extern long syscall_trace_enter_phase2(struct pt_regs *, u32 arch, - unsigned long phase1_result); - -extern long syscall_trace_enter(struct pt_regs *); - static inline unsigned long regs_return_value(struct pt_regs *regs) { return regs->ax; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 From: Andy Lutomirski <luto@kernel.org> I added two-phase syscall entry work back when the entry slow path was very slow. Nowadays, the entry slow path is fast and two-phase entry work serves no purpose. Remove it. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/entry/common.c | 84 +++++-------------------------------------- arch/x86/include/asm/ptrace.h | 6 ---- 2 files changed, 8 insertions(+), 82 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index ec138e538c44..df56ca394877 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -64,20 +64,13 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch) } /* - * We can return 0 to resume the syscall or anything else to go to phase - * 2. If we resume the syscall, we need to put something appropriate in - * regs->orig_ax. - * - * NB: We don't have full pt_regs here, but regs->orig_ax and regs->ax - * are fully functional. - * - * For phase 2's benefit, our return value is: - * 0: resume the syscall - * 1: go to phase 2; no seccomp phase 2 needed - * anything else: go to phase 2; pass return value to seccomp + * Returns the syscall nr to run (which should match regs->orig_ax) or -1 + * to skip the syscall. */ -unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) +static long syscall_trace_enter(struct pt_regs *regs) { + u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; + struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; u32 work; @@ -118,59 +111,9 @@ unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch) sd.args[5] = regs->bp; } - BUILD_BUG_ON(SECCOMP_PHASE1_OK != 0); - BUILD_BUG_ON(SECCOMP_PHASE1_SKIP != 1); - - ret = seccomp_phase1(&sd); - if (ret == SECCOMP_PHASE1_SKIP) { - regs->orig_ax = -1; - ret = 0; - } else if (ret != SECCOMP_PHASE1_OK) { - return ret; /* Go directly to phase 2 */ - } - - work &= ~_TIF_SECCOMP; - } -#endif - - /* Do our best to finish without phase 2. */ - if (work == 0) - return ret; /* seccomp and/or nohz only (ret == 0 here) */ - -#ifdef CONFIG_AUDITSYSCALL - if (work == _TIF_SYSCALL_AUDIT) { - /* - * If there is no more work to be done except auditing, - * then audit in phase 1. Phase 2 always audits, so, if - * we audit here, then we can't go on to phase 2. - */ - do_audit_syscall_entry(regs, arch); - return 0; - } -#endif - - return 1; /* Something is enabled that we can't handle in phase 1 */ -} - -/* Returns the syscall nr to run (which should match regs->orig_ax). */ -long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, - unsigned long phase1_result) -{ - struct thread_info *ti = pt_regs_to_thread_info(regs); - long ret = 0; - u32 work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; - - if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) - BUG_ON(regs != task_pt_regs(current)); - -#ifdef CONFIG_SECCOMP - /* - * Call seccomp_phase2 before running the other hooks so that - * they can see any changes made by a seccomp tracer. - */ - if (phase1_result > 1 && seccomp_phase2(phase1_result)) { - /* seccomp failures shouldn't expose any additional code. */ - return -1; + ret = __secure_computing(&sd); + if (ret == -1) + return ret; } #endif @@ -189,17 +132,6 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch, return ret ?: regs->orig_ax; } -long syscall_trace_enter(struct pt_regs *regs) -{ - u32 arch = in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64; - unsigned long phase1_result = syscall_trace_enter_phase1(regs, arch); - - if (phase1_result == 0) - return regs->orig_ax; - else - return syscall_trace_enter_phase2(regs, arch, phase1_result); -} - #define EXIT_TO_USERMODE_LOOP_FLAGS \ (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_UPROBE | \ _TIF_NEED_RESCHED | _TIF_USER_RETURN_NOTIFY) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 6271281f947d..2b5d686ea9f3 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -83,12 +83,6 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code, int si_code); -extern unsigned long syscall_trace_enter_phase1(struct pt_regs *, u32 arch); -extern long syscall_trace_enter_phase2(struct pt_regs *, u32 arch, - unsigned long phase1_result); - -extern long syscall_trace_enter(struct pt_regs *); - static inline unsigned long regs_return_value(struct pt_regs *regs) { return regs->ax; -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 04/14] seccomp: remove 2-phase API 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King Since nothing is using the 2-phase API, and it adds more complexity than benefit, remove it. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- include/linux/seccomp.h | 6 --- kernel/seccomp.c | 129 +++++++++++++++--------------------------------- 2 files changed, 41 insertions(+), 94 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 9eaa7b34d6da..ecc296c137cd 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -35,12 +35,6 @@ static inline int secure_computing(const struct seccomp_data *sd) return __secure_computing(sd); return 0; } - -#define SECCOMP_PHASE1_OK 0 -#define SECCOMP_PHASE1_SKIP 1 - -extern u32 seccomp_phase1(struct seccomp_data *sd); -int seccomp_phase2(u32 phase1_result); #else extern void secure_computing_strict(int this_syscall); #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 06816290a212..14a37d71b612 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -173,7 +173,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) * * Returns valid seccomp BPF response codes. */ -static u32 seccomp_run_filters(struct seccomp_data *sd) +static u32 seccomp_run_filters(const struct seccomp_data *sd) { struct seccomp_data sd_local; u32 ret = SECCOMP_RET_ALLOW; @@ -554,20 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(const struct seccomp_data *sd) -{ - u32 phase1_result = seccomp_phase1(sd); - - if (likely(phase1_result == SECCOMP_PHASE1_OK)) - return 0; - else if (likely(phase1_result == SECCOMP_PHASE1_SKIP)) - return -1; - else - return seccomp_phase2(phase1_result); -} #ifdef CONFIG_SECCOMP_FILTER -static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) { u32 filter_ret, action; int data; @@ -599,10 +588,33 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: - return filter_ret; /* Save the rest for phase 2. */ + /* ENOSYS these calls if there is no tracer attached. */ + if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { + syscall_set_return_value(current, + task_pt_regs(current), + -ENOSYS, 0); + goto skip; + } + + /* Allow the BPF to provide the event message */ + ptrace_event(PTRACE_EVENT_SECCOMP, data); + /* + * The delivery of a fatal signal during event + * notification may silently skip tracer notification. + * Terminating the task now avoids executing a system + * call that may not be intended. + */ + if (fatal_signal_pending(current)) + do_exit(SIGSYS); + /* Check if the tracer forced the syscall to be skipped. */ + this_syscall = syscall_get_nr(current, task_pt_regs(current)); + if (this_syscall < 0) + goto skip; + + return 0; case SECCOMP_RET_ALLOW: - return SECCOMP_PHASE1_OK; + return 0; case SECCOMP_RET_KILL: default: @@ -614,96 +626,37 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) skip: audit_seccomp(this_syscall, 0, action); - return SECCOMP_PHASE1_SKIP; + return -1; +} +#else +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +{ + BUG(); } #endif -/** - * seccomp_phase1() - run fast path seccomp checks on the current syscall - * @arg sd: The seccomp_data or NULL - * - * This only reads pt_regs via the syscall_xyz helpers. The only change - * it will make to pt_regs is via syscall_set_return_value, and it will - * only do that if it returns SECCOMP_PHASE1_SKIP. - * - * If sd is provided, it will not read pt_regs at all. - * - * It may also call do_exit or force a signal; these actions must be - * safe. - * - * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should - * be processed normally. - * - * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be - * invoked. In this case, seccomp_phase1 will have set the return value - * using syscall_set_return_value. - * - * If it returns anything else, then the return value should be passed - * to seccomp_phase2 from a context in which ptrace hooks are safe. - */ -u32 seccomp_phase1(struct seccomp_data *sd) +int __secure_computing(const struct seccomp_data *sd) { int mode = current->seccomp.mode; - int this_syscall = sd ? sd->nr : - syscall_get_nr(current, task_pt_regs(current)); + int this_syscall; if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) - return SECCOMP_PHASE1_OK; + return 0; + + this_syscall = sd ? sd->nr : + syscall_get_nr(current, task_pt_regs(current)); switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ - return SECCOMP_PHASE1_OK; -#ifdef CONFIG_SECCOMP_FILTER + return 0; case SECCOMP_MODE_FILTER: - return __seccomp_phase1_filter(this_syscall, sd); -#endif + return __seccomp_filter(this_syscall, sd); default: BUG(); } } - -/** - * seccomp_phase2() - finish slow path seccomp work for the current syscall - * @phase1_result: The return value from seccomp_phase1() - * - * This must be called from a context in which ptrace hooks can be used. - * - * Returns 0 if the syscall should be processed or -1 to skip the syscall. - */ -int seccomp_phase2(u32 phase1_result) -{ - struct pt_regs *regs = task_pt_regs(current); - u32 action = phase1_result & SECCOMP_RET_ACTION; - int data = phase1_result & SECCOMP_RET_DATA; - - BUG_ON(action != SECCOMP_RET_TRACE); - - audit_seccomp(syscall_get_nr(current, regs), 0, action); - - /* Skip these calls if there is no tracer. */ - if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { - syscall_set_return_value(current, regs, - -ENOSYS, 0); - return -1; - } - - /* Allow the BPF to provide the event message */ - ptrace_event(PTRACE_EVENT_SECCOMP, data); - /* - * The delivery of a fatal signal during event - * notification may silently skip tracer notification. - * Terminating the task now avoids executing a system - * call that may not be intended. - */ - if (fatal_signal_pending(current)) - do_exit(SIGSYS); - if (syscall_get_nr(current, regs) < 0) - return -1; /* Explicit request to skip. */ - - return 0; -} #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */ long prctl_get_seccomp(void) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 04/14] seccomp: remove 2-phase API @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel Since nothing is using the 2-phase API, and it adds more complexity than benefit, remove it. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- include/linux/seccomp.h | 6 --- kernel/seccomp.c | 129 +++++++++++++++--------------------------------- 2 files changed, 41 insertions(+), 94 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 9eaa7b34d6da..ecc296c137cd 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -35,12 +35,6 @@ static inline int secure_computing(const struct seccomp_data *sd) return __secure_computing(sd); return 0; } - -#define SECCOMP_PHASE1_OK 0 -#define SECCOMP_PHASE1_SKIP 1 - -extern u32 seccomp_phase1(struct seccomp_data *sd); -int seccomp_phase2(u32 phase1_result); #else extern void secure_computing_strict(int this_syscall); #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 06816290a212..14a37d71b612 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -173,7 +173,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) * * Returns valid seccomp BPF response codes. */ -static u32 seccomp_run_filters(struct seccomp_data *sd) +static u32 seccomp_run_filters(const struct seccomp_data *sd) { struct seccomp_data sd_local; u32 ret = SECCOMP_RET_ALLOW; @@ -554,20 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(const struct seccomp_data *sd) -{ - u32 phase1_result = seccomp_phase1(sd); - - if (likely(phase1_result == SECCOMP_PHASE1_OK)) - return 0; - else if (likely(phase1_result == SECCOMP_PHASE1_SKIP)) - return -1; - else - return seccomp_phase2(phase1_result); -} #ifdef CONFIG_SECCOMP_FILTER -static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) { u32 filter_ret, action; int data; @@ -599,10 +588,33 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: - return filter_ret; /* Save the rest for phase 2. */ + /* ENOSYS these calls if there is no tracer attached. */ + if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { + syscall_set_return_value(current, + task_pt_regs(current), + -ENOSYS, 0); + goto skip; + } + + /* Allow the BPF to provide the event message */ + ptrace_event(PTRACE_EVENT_SECCOMP, data); + /* + * The delivery of a fatal signal during event + * notification may silently skip tracer notification. + * Terminating the task now avoids executing a system + * call that may not be intended. + */ + if (fatal_signal_pending(current)) + do_exit(SIGSYS); + /* Check if the tracer forced the syscall to be skipped. */ + this_syscall = syscall_get_nr(current, task_pt_regs(current)); + if (this_syscall < 0) + goto skip; + + return 0; case SECCOMP_RET_ALLOW: - return SECCOMP_PHASE1_OK; + return 0; case SECCOMP_RET_KILL: default: @@ -614,96 +626,37 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) skip: audit_seccomp(this_syscall, 0, action); - return SECCOMP_PHASE1_SKIP; + return -1; +} +#else +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +{ + BUG(); } #endif -/** - * seccomp_phase1() - run fast path seccomp checks on the current syscall - * @arg sd: The seccomp_data or NULL - * - * This only reads pt_regs via the syscall_xyz helpers. The only change - * it will make to pt_regs is via syscall_set_return_value, and it will - * only do that if it returns SECCOMP_PHASE1_SKIP. - * - * If sd is provided, it will not read pt_regs@all. - * - * It may also call do_exit or force a signal; these actions must be - * safe. - * - * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should - * be processed normally. - * - * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be - * invoked. In this case, seccomp_phase1 will have set the return value - * using syscall_set_return_value. - * - * If it returns anything else, then the return value should be passed - * to seccomp_phase2 from a context in which ptrace hooks are safe. - */ -u32 seccomp_phase1(struct seccomp_data *sd) +int __secure_computing(const struct seccomp_data *sd) { int mode = current->seccomp.mode; - int this_syscall = sd ? sd->nr : - syscall_get_nr(current, task_pt_regs(current)); + int this_syscall; if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) - return SECCOMP_PHASE1_OK; + return 0; + + this_syscall = sd ? sd->nr : + syscall_get_nr(current, task_pt_regs(current)); switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ - return SECCOMP_PHASE1_OK; -#ifdef CONFIG_SECCOMP_FILTER + return 0; case SECCOMP_MODE_FILTER: - return __seccomp_phase1_filter(this_syscall, sd); -#endif + return __seccomp_filter(this_syscall, sd); default: BUG(); } } - -/** - * seccomp_phase2() - finish slow path seccomp work for the current syscall - * @phase1_result: The return value from seccomp_phase1() - * - * This must be called from a context in which ptrace hooks can be used. - * - * Returns 0 if the syscall should be processed or -1 to skip the syscall. - */ -int seccomp_phase2(u32 phase1_result) -{ - struct pt_regs *regs = task_pt_regs(current); - u32 action = phase1_result & SECCOMP_RET_ACTION; - int data = phase1_result & SECCOMP_RET_DATA; - - BUG_ON(action != SECCOMP_RET_TRACE); - - audit_seccomp(syscall_get_nr(current, regs), 0, action); - - /* Skip these calls if there is no tracer. */ - if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { - syscall_set_return_value(current, regs, - -ENOSYS, 0); - return -1; - } - - /* Allow the BPF to provide the event message */ - ptrace_event(PTRACE_EVENT_SECCOMP, data); - /* - * The delivery of a fatal signal during event - * notification may silently skip tracer notification. - * Terminating the task now avoids executing a system - * call that may not be intended. - */ - if (fatal_signal_pending(current)) - do_exit(SIGSYS); - if (syscall_get_nr(current, regs) < 0) - return -1; /* Explicit request to skip. */ - - return 0; -} #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */ long prctl_get_seccomp(void) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 04/14] seccomp: remove 2-phase API @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King Since nothing is using the 2-phase API, and it adds more complexity than benefit, remove it. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- include/linux/seccomp.h | 6 --- kernel/seccomp.c | 129 +++++++++++++++--------------------------------- 2 files changed, 41 insertions(+), 94 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 9eaa7b34d6da..ecc296c137cd 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -35,12 +35,6 @@ static inline int secure_computing(const struct seccomp_data *sd) return __secure_computing(sd); return 0; } - -#define SECCOMP_PHASE1_OK 0 -#define SECCOMP_PHASE1_SKIP 1 - -extern u32 seccomp_phase1(struct seccomp_data *sd); -int seccomp_phase2(u32 phase1_result); #else extern void secure_computing_strict(int this_syscall); #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 06816290a212..14a37d71b612 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -173,7 +173,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) * * Returns valid seccomp BPF response codes. */ -static u32 seccomp_run_filters(struct seccomp_data *sd) +static u32 seccomp_run_filters(const struct seccomp_data *sd) { struct seccomp_data sd_local; u32 ret = SECCOMP_RET_ALLOW; @@ -554,20 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(const struct seccomp_data *sd) -{ - u32 phase1_result = seccomp_phase1(sd); - - if (likely(phase1_result == SECCOMP_PHASE1_OK)) - return 0; - else if (likely(phase1_result == SECCOMP_PHASE1_SKIP)) - return -1; - else - return seccomp_phase2(phase1_result); -} #ifdef CONFIG_SECCOMP_FILTER -static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) { u32 filter_ret, action; int data; @@ -599,10 +588,33 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: - return filter_ret; /* Save the rest for phase 2. */ + /* ENOSYS these calls if there is no tracer attached. */ + if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { + syscall_set_return_value(current, + task_pt_regs(current), + -ENOSYS, 0); + goto skip; + } + + /* Allow the BPF to provide the event message */ + ptrace_event(PTRACE_EVENT_SECCOMP, data); + /* + * The delivery of a fatal signal during event + * notification may silently skip tracer notification. + * Terminating the task now avoids executing a system + * call that may not be intended. + */ + if (fatal_signal_pending(current)) + do_exit(SIGSYS); + /* Check if the tracer forced the syscall to be skipped. */ + this_syscall = syscall_get_nr(current, task_pt_regs(current)); + if (this_syscall < 0) + goto skip; + + return 0; case SECCOMP_RET_ALLOW: - return SECCOMP_PHASE1_OK; + return 0; case SECCOMP_RET_KILL: default: @@ -614,96 +626,37 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) skip: audit_seccomp(this_syscall, 0, action); - return SECCOMP_PHASE1_SKIP; + return -1; +} +#else +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +{ + BUG(); } #endif -/** - * seccomp_phase1() - run fast path seccomp checks on the current syscall - * @arg sd: The seccomp_data or NULL - * - * This only reads pt_regs via the syscall_xyz helpers. The only change - * it will make to pt_regs is via syscall_set_return_value, and it will - * only do that if it returns SECCOMP_PHASE1_SKIP. - * - * If sd is provided, it will not read pt_regs at all. - * - * It may also call do_exit or force a signal; these actions must be - * safe. - * - * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should - * be processed normally. - * - * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be - * invoked. In this case, seccomp_phase1 will have set the return value - * using syscall_set_return_value. - * - * If it returns anything else, then the return value should be passed - * to seccomp_phase2 from a context in which ptrace hooks are safe. - */ -u32 seccomp_phase1(struct seccomp_data *sd) +int __secure_computing(const struct seccomp_data *sd) { int mode = current->seccomp.mode; - int this_syscall = sd ? sd->nr : - syscall_get_nr(current, task_pt_regs(current)); + int this_syscall; if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) - return SECCOMP_PHASE1_OK; + return 0; + + this_syscall = sd ? sd->nr : + syscall_get_nr(current, task_pt_regs(current)); switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ - return SECCOMP_PHASE1_OK; -#ifdef CONFIG_SECCOMP_FILTER + return 0; case SECCOMP_MODE_FILTER: - return __seccomp_phase1_filter(this_syscall, sd); -#endif + return __seccomp_filter(this_syscall, sd); default: BUG(); } } - -/** - * seccomp_phase2() - finish slow path seccomp work for the current syscall - * @phase1_result: The return value from seccomp_phase1() - * - * This must be called from a context in which ptrace hooks can be used. - * - * Returns 0 if the syscall should be processed or -1 to skip the syscall. - */ -int seccomp_phase2(u32 phase1_result) -{ - struct pt_regs *regs = task_pt_regs(current); - u32 action = phase1_result & SECCOMP_RET_ACTION; - int data = phase1_result & SECCOMP_RET_DATA; - - BUG_ON(action != SECCOMP_RET_TRACE); - - audit_seccomp(syscall_get_nr(current, regs), 0, action); - - /* Skip these calls if there is no tracer. */ - if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { - syscall_set_return_value(current, regs, - -ENOSYS, 0); - return -1; - } - - /* Allow the BPF to provide the event message */ - ptrace_event(PTRACE_EVENT_SECCOMP, data); - /* - * The delivery of a fatal signal during event - * notification may silently skip tracer notification. - * Terminating the task now avoids executing a system - * call that may not be intended. - */ - if (fatal_signal_pending(current)) - do_exit(SIGSYS); - if (syscall_get_nr(current, regs) < 0) - return -1; /* Explicit request to skip. */ - - return 0; -} #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */ long prctl_get_seccomp(void) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 04/14] seccomp: remove 2-phase API @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Since nothing is using the 2-phase API, and it adds more complexity than benefit, remove it. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- include/linux/seccomp.h | 6 --- kernel/seccomp.c | 129 +++++++++++++++--------------------------------- 2 files changed, 41 insertions(+), 94 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 9eaa7b34d6da..ecc296c137cd 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -35,12 +35,6 @@ static inline int secure_computing(const struct seccomp_data *sd) return __secure_computing(sd); return 0; } - -#define SECCOMP_PHASE1_OK 0 -#define SECCOMP_PHASE1_SKIP 1 - -extern u32 seccomp_phase1(struct seccomp_data *sd); -int seccomp_phase2(u32 phase1_result); #else extern void secure_computing_strict(int this_syscall); #endif diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 06816290a212..14a37d71b612 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -173,7 +173,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) * * Returns valid seccomp BPF response codes. */ -static u32 seccomp_run_filters(struct seccomp_data *sd) +static u32 seccomp_run_filters(const struct seccomp_data *sd) { struct seccomp_data sd_local; u32 ret = SECCOMP_RET_ALLOW; @@ -554,20 +554,9 @@ void secure_computing_strict(int this_syscall) BUG(); } #else -int __secure_computing(const struct seccomp_data *sd) -{ - u32 phase1_result = seccomp_phase1(sd); - - if (likely(phase1_result == SECCOMP_PHASE1_OK)) - return 0; - else if (likely(phase1_result == SECCOMP_PHASE1_SKIP)) - return -1; - else - return seccomp_phase2(phase1_result); -} #ifdef CONFIG_SECCOMP_FILTER -static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) { u32 filter_ret, action; int data; @@ -599,10 +588,33 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: - return filter_ret; /* Save the rest for phase 2. */ + /* ENOSYS these calls if there is no tracer attached. */ + if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { + syscall_set_return_value(current, + task_pt_regs(current), + -ENOSYS, 0); + goto skip; + } + + /* Allow the BPF to provide the event message */ + ptrace_event(PTRACE_EVENT_SECCOMP, data); + /* + * The delivery of a fatal signal during event + * notification may silently skip tracer notification. + * Terminating the task now avoids executing a system + * call that may not be intended. + */ + if (fatal_signal_pending(current)) + do_exit(SIGSYS); + /* Check if the tracer forced the syscall to be skipped. */ + this_syscall = syscall_get_nr(current, task_pt_regs(current)); + if (this_syscall < 0) + goto skip; + + return 0; case SECCOMP_RET_ALLOW: - return SECCOMP_PHASE1_OK; + return 0; case SECCOMP_RET_KILL: default: @@ -614,96 +626,37 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) skip: audit_seccomp(this_syscall, 0, action); - return SECCOMP_PHASE1_SKIP; + return -1; +} +#else +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +{ + BUG(); } #endif -/** - * seccomp_phase1() - run fast path seccomp checks on the current syscall - * @arg sd: The seccomp_data or NULL - * - * This only reads pt_regs via the syscall_xyz helpers. The only change - * it will make to pt_regs is via syscall_set_return_value, and it will - * only do that if it returns SECCOMP_PHASE1_SKIP. - * - * If sd is provided, it will not read pt_regs at all. - * - * It may also call do_exit or force a signal; these actions must be - * safe. - * - * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should - * be processed normally. - * - * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be - * invoked. In this case, seccomp_phase1 will have set the return value - * using syscall_set_return_value. - * - * If it returns anything else, then the return value should be passed - * to seccomp_phase2 from a context in which ptrace hooks are safe. - */ -u32 seccomp_phase1(struct seccomp_data *sd) +int __secure_computing(const struct seccomp_data *sd) { int mode = current->seccomp.mode; - int this_syscall = sd ? sd->nr : - syscall_get_nr(current, task_pt_regs(current)); + int this_syscall; if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) - return SECCOMP_PHASE1_OK; + return 0; + + this_syscall = sd ? sd->nr : + syscall_get_nr(current, task_pt_regs(current)); switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ - return SECCOMP_PHASE1_OK; -#ifdef CONFIG_SECCOMP_FILTER + return 0; case SECCOMP_MODE_FILTER: - return __seccomp_phase1_filter(this_syscall, sd); -#endif + return __seccomp_filter(this_syscall, sd); default: BUG(); } } - -/** - * seccomp_phase2() - finish slow path seccomp work for the current syscall - * @phase1_result: The return value from seccomp_phase1() - * - * This must be called from a context in which ptrace hooks can be used. - * - * Returns 0 if the syscall should be processed or -1 to skip the syscall. - */ -int seccomp_phase2(u32 phase1_result) -{ - struct pt_regs *regs = task_pt_regs(current); - u32 action = phase1_result & SECCOMP_RET_ACTION; - int data = phase1_result & SECCOMP_RET_DATA; - - BUG_ON(action != SECCOMP_RET_TRACE); - - audit_seccomp(syscall_get_nr(current, regs), 0, action); - - /* Skip these calls if there is no tracer. */ - if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { - syscall_set_return_value(current, regs, - -ENOSYS, 0); - return -1; - } - - /* Allow the BPF to provide the event message */ - ptrace_event(PTRACE_EVENT_SECCOMP, data); - /* - * The delivery of a fatal signal during event - * notification may silently skip tracer notification. - * Terminating the task now avoids executing a system - * call that may not be intended. - */ - if (fatal_signal_pending(current)) - do_exit(SIGSYS); - if (syscall_get_nr(current, regs) < 0) - return -1; /* Explicit request to skip. */ - - return 0; -} #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */ long prctl_get_seccomp(void) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King When RET_TRACE triggers, a tracer may change a syscall into something that should be filtered by seccomp. This re-runs seccomp after a trace event to make sure things continue to pass. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- kernel/seccomp.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 14a37d71b612..54d15eb2b701 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) #else #ifdef CONFIG_SECCOMP_FILTER -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { u32 filter_ret, action; int data; @@ -588,6 +589,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: + /* We've been put in this state by the ptracer already. */ + if (recheck_after_trace) + return 0; + /* ENOSYS these calls if there is no tracer attached. */ if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { syscall_set_return_value(current, @@ -611,6 +616,15 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) if (this_syscall < 0) goto skip; + /* + * Recheck the syscall, since it may have changed. This + * intentionally uses a NULL struct seccomp_data to force + * a reload of all registers. This does not goto skip since + * a skip would have already been reported. + */ + if (__seccomp_filter(this_syscall, NULL, true)) + return -1; + return 0; case SECCOMP_RET_ALLOW: @@ -629,7 +643,8 @@ skip: return -1; } #else -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { BUG(); } @@ -652,7 +667,7 @@ int __secure_computing(const struct seccomp_data *sd) __secure_computing_strict(this_syscall); /* may call do_exit */ return 0; case SECCOMP_MODE_FILTER: - return __seccomp_filter(this_syscall, sd); + return __seccomp_filter(this_syscall, sd, false); default: BUG(); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel When RET_TRACE triggers, a tracer may change a syscall into something that should be filtered by seccomp. This re-runs seccomp after a trace event to make sure things continue to pass. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- kernel/seccomp.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 14a37d71b612..54d15eb2b701 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) #else #ifdef CONFIG_SECCOMP_FILTER -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { u32 filter_ret, action; int data; @@ -588,6 +589,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: + /* We've been put in this state by the ptracer already. */ + if (recheck_after_trace) + return 0; + /* ENOSYS these calls if there is no tracer attached. */ if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { syscall_set_return_value(current, @@ -611,6 +616,15 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) if (this_syscall < 0) goto skip; + /* + * Recheck the syscall, since it may have changed. This + * intentionally uses a NULL struct seccomp_data to force + * a reload of all registers. This does not goto skip since + * a skip would have already been reported. + */ + if (__seccomp_filter(this_syscall, NULL, true)) + return -1; + return 0; case SECCOMP_RET_ALLOW: @@ -629,7 +643,8 @@ skip: return -1; } #else -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { BUG(); } @@ -652,7 +667,7 @@ int __secure_computing(const struct seccomp_data *sd) __secure_computing_strict(this_syscall); /* may call do_exit */ return 0; case SECCOMP_MODE_FILTER: - return __seccomp_filter(this_syscall, sd); + return __seccomp_filter(this_syscall, sd, false); default: BUG(); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King When RET_TRACE triggers, a tracer may change a syscall into something that should be filtered by seccomp. This re-runs seccomp after a trace event to make sure things continue to pass. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- kernel/seccomp.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 14a37d71b612..54d15eb2b701 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) #else #ifdef CONFIG_SECCOMP_FILTER -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { u32 filter_ret, action; int data; @@ -588,6 +589,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: + /* We've been put in this state by the ptracer already. */ + if (recheck_after_trace) + return 0; + /* ENOSYS these calls if there is no tracer attached. */ if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { syscall_set_return_value(current, @@ -611,6 +616,15 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) if (this_syscall < 0) goto skip; + /* + * Recheck the syscall, since it may have changed. This + * intentionally uses a NULL struct seccomp_data to force + * a reload of all registers. This does not goto skip since + * a skip would have already been reported. + */ + if (__seccomp_filter(this_syscall, NULL, true)) + return -1; + return 0; case SECCOMP_RET_ALLOW: @@ -629,7 +643,8 @@ skip: return -1; } #else -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { BUG(); } @@ -652,7 +667,7 @@ int __secure_computing(const struct seccomp_data *sd) __secure_computing_strict(this_syscall); /* may call do_exit */ return 0; case SECCOMP_MODE_FILTER: - return __seccomp_filter(this_syscall, sd); + return __seccomp_filter(this_syscall, sd, false); default: BUG(); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 When RET_TRACE triggers, a tracer may change a syscall into something that should be filtered by seccomp. This re-runs seccomp after a trace event to make sure things continue to pass. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org> --- kernel/seccomp.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 14a37d71b612..54d15eb2b701 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) #else #ifdef CONFIG_SECCOMP_FILTER -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { u32 filter_ret, action; int data; @@ -588,6 +589,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) goto skip; case SECCOMP_RET_TRACE: + /* We've been put in this state by the ptracer already. */ + if (recheck_after_trace) + return 0; + /* ENOSYS these calls if there is no tracer attached. */ if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { syscall_set_return_value(current, @@ -611,6 +616,15 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) if (this_syscall < 0) goto skip; + /* + * Recheck the syscall, since it may have changed. This + * intentionally uses a NULL struct seccomp_data to force + * a reload of all registers. This does not goto skip since + * a skip would have already been reported. + */ + if (__seccomp_filter(this_syscall, NULL, true)) + return -1; + return 0; case SECCOMP_RET_ALLOW: @@ -629,7 +643,8 @@ skip: return -1; } #else -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, + const bool recheck_after_trace) { BUG(); } @@ -652,7 +667,7 @@ int __secure_computing(const struct seccomp_data *sd) __secure_computing_strict(this_syscall); /* may call do_exit */ return 0; case SECCOMP_MODE_FILTER: - return __seccomp_filter(this_syscall, sd); + return __seccomp_filter(this_syscall, sd, false); default: BUG(); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* Re: [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 22:46 ` Andy Lutomirski -1 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:46 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > When RET_TRACE triggers, a tracer may change a syscall into something that > should be filtered by seccomp. This re-runs seccomp after a trace event > to make sure things continue to pass. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@kernel.org> > --- > kernel/seccomp.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 14a37d71b612..54d15eb2b701 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) > #else > > #ifdef CONFIG_SECCOMP_FILTER > -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) > +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > + const bool recheck_after_trace) This patch looks good with one minor nit: I read this as "pass true if you want to recheck after trace", which is exactly the opposite of how it works. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 22:46 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:46 UTC (permalink / raw) To: linux-arm-kernel On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > When RET_TRACE triggers, a tracer may change a syscall into something that > should be filtered by seccomp. This re-runs seccomp after a trace event > to make sure things continue to pass. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@kernel.org> > --- > kernel/seccomp.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 14a37d71b612..54d15eb2b701 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) > #else > > #ifdef CONFIG_SECCOMP_FILTER > -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) > +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > + const bool recheck_after_trace) This patch looks good with one minor nit: I read this as "pass true if you want to recheck after trace", which is exactly the opposite of how it works. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 22:46 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:46 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, X86 ML On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > When RET_TRACE triggers, a tracer may change a syscall into something that > should be filtered by seccomp. This re-runs seccomp after a trace event > to make sure things continue to pass. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@kernel.org> > --- > kernel/seccomp.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 14a37d71b612..54d15eb2b701 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) > #else > > #ifdef CONFIG_SECCOMP_FILTER > -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) > +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > + const bool recheck_after_trace) This patch looks good with one minor nit: I read this as "pass true if you want to recheck after trace", which is exactly the opposite of how it works. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 22:46 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:46 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > When RET_TRACE triggers, a tracer may change a syscall into something that > should be filtered by seccomp. This re-runs seccomp after a trace event > to make sure things continue to pass. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@kernel.org> > --- > kernel/seccomp.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 14a37d71b612..54d15eb2b701 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) > #else > > #ifdef CONFIG_SECCOMP_FILTER > -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) > +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > + const bool recheck_after_trace) This patch looks good with one minor nit: I read this as "pass true if you want to recheck after trace", which is exactly the opposite of how it works. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE @ 2016-06-09 22:46 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:46 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, X86 ML On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > When RET_TRACE triggers, a tracer may change a syscall into something that > should be filtered by seccomp. This re-runs seccomp after a trace event > to make sure things continue to pass. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Andy Lutomirski <luto@kernel.org> > --- > kernel/seccomp.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 14a37d71b612..54d15eb2b701 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -556,7 +556,8 @@ void secure_computing_strict(int this_syscall) > #else > > #ifdef CONFIG_SECCOMP_FILTER > -static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd) > +static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > + const bool recheck_after_trace) This patch looks good with one minor nit: I read this as "pass true if you want to recheck after trace", which is exactly the opposite of how it works. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Kees Cook, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Chris Metcalf, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin This moves seccomp after ptrace on x86 to that seccomp can catch changes made by ptrace. Emulation should skip the rest of processing too. We can get rid of test_thread_flag because there's no longer any opportunity for seccomp to mess with ptrace state before invoking ptrace. Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: x86@kernel.org Cc: Andy Lutomirski <luto@kernel.org> --- arch/x86/entry/common.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index df56ca394877..81c0e12d831c 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; + bool emulated = false; u32 work; if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; + if (unlikely(work & _TIF_SYSCALL_EMU)) + emulated = true; + + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && + tracehook_report_syscall_entry(regs)) + return -1L; + + if (emulated) + return -1L; + #ifdef CONFIG_SECCOMP /* - * Do seccomp first -- it should minimize exposure of other - * code, and keeping seccomp fast is probably more valuable - * than the rest of this. + * Do seccomp after ptrace, to catch any tracer changes. */ if (work & _TIF_SECCOMP) { struct seccomp_data sd; @@ -117,13 +126,6 @@ static long syscall_trace_enter(struct pt_regs *regs) } #endif - if (unlikely(work & _TIF_SYSCALL_EMU)) - ret = -1L; - - if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) && - tracehook_report_syscall_entry(regs)) - ret = -1L; - if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->orig_ax); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Kees Cook, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Chris Metcalf, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev This moves seccomp after ptrace on x86 to that seccomp can catch changes made by ptrace. Emulation should skip the rest of processing too. We can get rid of test_thread_flag because there's no longer any opportunity for seccomp to mess with ptrace state before invoking ptrace. Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: x86@kernel.org Cc: Andy Lutomirski <luto@kernel.org> --- arch/x86/entry/common.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index df56ca394877..81c0e12d831c 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; + bool emulated = false; u32 work; if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; + if (unlikely(work & _TIF_SYSCALL_EMU)) + emulated = true; + + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && + tracehook_report_syscall_entry(regs)) + return -1L; + + if (emulated) + return -1L; + #ifdef CONFIG_SECCOMP /* - * Do seccomp first -- it should minimize exposure of other - * code, and keeping seccomp fast is probably more valuable - * than the rest of this. + * Do seccomp after ptrace, to catch any tracer changes. */ if (work & _TIF_SECCOMP) { struct seccomp_data sd; @@ -117,13 +126,6 @@ static long syscall_trace_enter(struct pt_regs *regs) } #endif - if (unlikely(work & _TIF_SYSCALL_EMU)) - ret = -1L; - - if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) && - tracehook_report_syscall_entry(regs)) - ret = -1L; - if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->orig_ax); -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel This moves seccomp after ptrace on x86 to that seccomp can catch changes made by ptrace. Emulation should skip the rest of processing too. We can get rid of test_thread_flag because there's no longer any opportunity for seccomp to mess with ptrace state before invoking ptrace. Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: x86 at kernel.org Cc: Andy Lutomirski <luto@kernel.org> --- arch/x86/entry/common.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index df56ca394877..81c0e12d831c 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; + bool emulated = false; u32 work; if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; + if (unlikely(work & _TIF_SYSCALL_EMU)) + emulated = true; + + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && + tracehook_report_syscall_entry(regs)) + return -1L; + + if (emulated) + return -1L; + #ifdef CONFIG_SECCOMP /* - * Do seccomp first -- it should minimize exposure of other - * code, and keeping seccomp fast is probably more valuable - * than the rest of this. + * Do seccomp after ptrace, to catch any tracer changes. */ if (work & _TIF_SECCOMP) { struct seccomp_data sd; @@ -117,13 +126,6 @@ static long syscall_trace_enter(struct pt_regs *regs) } #endif - if (unlikely(work & _TIF_SYSCALL_EMU)) - ret = -1L; - - if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) && - tracehook_report_syscall_entry(regs)) - ret = -1L; - if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->orig_ax); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Kees Cook, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Chris Metcalf, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin This moves seccomp after ptrace on x86 to that seccomp can catch changes made by ptrace. Emulation should skip the rest of processing too. We can get rid of test_thread_flag because there's no longer any opportunity for seccomp to mess with ptrace state before invoking ptrace. Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: x86@kernel.org Cc: Andy Lutomirski <luto@kernel.org> --- arch/x86/entry/common.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index df56ca394877..81c0e12d831c 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; + bool emulated = false; u32 work; if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; + if (unlikely(work & _TIF_SYSCALL_EMU)) + emulated = true; + + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && + tracehook_report_syscall_entry(regs)) + return -1L; + + if (emulated) + return -1L; + #ifdef CONFIG_SECCOMP /* - * Do seccomp first -- it should minimize exposure of other - * code, and keeping seccomp fast is probably more valuable - * than the rest of this. + * Do seccomp after ptrace, to catch any tracer changes. */ if (work & _TIF_SECCOMP) { struct seccomp_data sd; @@ -117,13 +126,6 @@ static long syscall_trace_enter(struct pt_regs *regs) } #endif - if (unlikely(work & _TIF_SYSCALL_EMU)) - ret = -1L; - - if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) && - tracehook_report_syscall_entry(regs)) - ret = -1L; - if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->orig_ax); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, x86, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon This moves seccomp after ptrace on x86 to that seccomp can catch changes made by ptrace. Emulation should skip the rest of processing too. We can get rid of test_thread_flag because there's no longer any opportunity for seccomp to mess with ptrace state before invoking ptrace. Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: x86@kernel.org Cc: Andy Lutomirski <luto@kernel.org> --- arch/x86/entry/common.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index df56ca394877..81c0e12d831c 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) struct thread_info *ti = pt_regs_to_thread_info(regs); unsigned long ret = 0; + bool emulated = false; u32 work; if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; + if (unlikely(work & _TIF_SYSCALL_EMU)) + emulated = true; + + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && + tracehook_report_syscall_entry(regs)) + return -1L; + + if (emulated) + return -1L; + #ifdef CONFIG_SECCOMP /* - * Do seccomp first -- it should minimize exposure of other - * code, and keeping seccomp fast is probably more valuable - * than the rest of this. + * Do seccomp after ptrace, to catch any tracer changes. */ if (work & _TIF_SECCOMP) { struct seccomp_data sd; @@ -117,13 +126,6 @@ static long syscall_trace_enter(struct pt_regs *regs) } #endif - if (unlikely(work & _TIF_SYSCALL_EMU)) - ret = -1L; - - if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) && - tracehook_report_syscall_entry(regs)) - ret = -1L; - if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->orig_ax); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 22:52 ` Andy Lutomirski -1 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:52 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > This moves seccomp after ptrace on x86 to that seccomp can catch changes > made by ptrace. Emulation should skip the rest of processing too. > > We can get rid of test_thread_flag because there's no longer any > opportunity for seccomp to mess with ptrace state before invoking > ptrace. > > Suggested-by: Andy Lutomirski <luto@kernel.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: x86@kernel.org > Cc: Andy Lutomirski <luto@kernel.org> > --- > arch/x86/entry/common.c | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index df56ca394877..81c0e12d831c 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) > > struct thread_info *ti = pt_regs_to_thread_info(regs); > unsigned long ret = 0; > + bool emulated = false; > u32 work; > > if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) > @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) > > work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; > > + if (unlikely(work & _TIF_SYSCALL_EMU)) > + emulated = true; > + > + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && > + tracehook_report_syscall_entry(regs)) > + return -1L; > + > + if (emulated) > + return -1L; > + I think that this code will result in ptrace-induced skips calling the audit exit hook but not the audit entry hook. I don't know whether this is a problem. It's also worth making sure that ptracing a seccomp-skipped syscall calls the exit hook with the right regs. I suspect it's fine, but I want to think about it a little bit more. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 22:52 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:52 UTC (permalink / raw) To: linux-arm-kernel On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > This moves seccomp after ptrace on x86 to that seccomp can catch changes > made by ptrace. Emulation should skip the rest of processing too. > > We can get rid of test_thread_flag because there's no longer any > opportunity for seccomp to mess with ptrace state before invoking > ptrace. > > Suggested-by: Andy Lutomirski <luto@kernel.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: x86 at kernel.org > Cc: Andy Lutomirski <luto@kernel.org> > --- > arch/x86/entry/common.c | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index df56ca394877..81c0e12d831c 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) > > struct thread_info *ti = pt_regs_to_thread_info(regs); > unsigned long ret = 0; > + bool emulated = false; > u32 work; > > if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) > @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) > > work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; > > + if (unlikely(work & _TIF_SYSCALL_EMU)) > + emulated = true; > + > + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && > + tracehook_report_syscall_entry(regs)) > + return -1L; > + > + if (emulated) > + return -1L; > + I think that this code will result in ptrace-induced skips calling the audit exit hook but not the audit entry hook. I don't know whether this is a problem. It's also worth making sure that ptracing a seccomp-skipped syscall calls the exit hook with the right regs. I suspect it's fine, but I want to think about it a little bit more. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 22:52 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:52 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > This moves seccomp after ptrace on x86 to that seccomp can catch changes > made by ptrace. Emulation should skip the rest of processing too. > > We can get rid of test_thread_flag because there's no longer any > opportunity for seccomp to mess with ptrace state before invoking > ptrace. > > Suggested-by: Andy Lutomirski <luto@kernel.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: x86@kernel.org > Cc: Andy Lutomirski <luto@kernel.org> > --- > arch/x86/entry/common.c | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index df56ca394877..81c0e12d831c 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) > > struct thread_info *ti = pt_regs_to_thread_info(regs); > unsigned long ret = 0; > + bool emulated = false; > u32 work; > > if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) > @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) > > work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; > > + if (unlikely(work & _TIF_SYSCALL_EMU)) > + emulated = true; > + > + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && > + tracehook_report_syscall_entry(regs)) > + return -1L; > + > + if (emulated) > + return -1L; > + I think that this code will result in ptrace-induced skips calling the audit exit hook but not the audit entry hook. I don't know whether this is a problem. It's also worth making sure that ptracing a seccomp-skipped syscall calls the exit hook with the right regs. I suspect it's fine, but I want to think about it a little bit more. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 22:52 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:52 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > This moves seccomp after ptrace on x86 to that seccomp can catch changes > made by ptrace. Emulation should skip the rest of processing too. > > We can get rid of test_thread_flag because there's no longer any > opportunity for seccomp to mess with ptrace state before invoking > ptrace. > > Suggested-by: Andy Lutomirski <luto@kernel.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: x86@kernel.org > Cc: Andy Lutomirski <luto@kernel.org> > --- > arch/x86/entry/common.c | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index df56ca394877..81c0e12d831c 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) > > struct thread_info *ti = pt_regs_to_thread_info(regs); > unsigned long ret = 0; > + bool emulated = false; > u32 work; > > if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) > @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) > > work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; > > + if (unlikely(work & _TIF_SYSCALL_EMU)) > + emulated = true; > + > + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && > + tracehook_report_syscall_entry(regs)) > + return -1L; > + > + if (emulated) > + return -1L; > + I think that this code will result in ptrace-induced skips calling the audit exit hook but not the audit entry hook. I don't know whether this is a problem. It's also worth making sure that ptracing a seccomp-skipped syscall calls the exit hook with the right regs. I suspect it's fine, but I want to think about it a little bit more. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-09 22:52 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-09 22:52 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > This moves seccomp after ptrace on x86 to that seccomp can catch changes > made by ptrace. Emulation should skip the rest of processing too. > > We can get rid of test_thread_flag because there's no longer any > opportunity for seccomp to mess with ptrace state before invoking > ptrace. > > Suggested-by: Andy Lutomirski <luto@kernel.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: x86@kernel.org > Cc: Andy Lutomirski <luto@kernel.org> > --- > arch/x86/entry/common.c | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index df56ca394877..81c0e12d831c 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) > > struct thread_info *ti = pt_regs_to_thread_info(regs); > unsigned long ret = 0; > + bool emulated = false; > u32 work; > > if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) > @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) > > work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; > > + if (unlikely(work & _TIF_SYSCALL_EMU)) > + emulated = true; > + > + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && > + tracehook_report_syscall_entry(regs)) > + return -1L; > + > + if (emulated) > + return -1L; > + I think that this code will result in ptrace-induced skips calling the audit exit hook but not the audit entry hook. I don't know whether this is a problem. It's also worth making sure that ptracing a seccomp-skipped syscall calls the exit hook with the right regs. I suspect it's fine, but I want to think about it a little bit more. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace 2016-06-09 22:52 ` Andy Lutomirski ` (2 preceding siblings ...) (?) @ 2016-06-10 2:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-10 2:01 UTC (permalink / raw) To: Andy Lutomirski Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-10 2:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-10 2:01 UTC (permalink / raw) To: linux-arm-kernel On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86 at kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-10 2:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-10 2:01 UTC (permalink / raw) To: Andy Lutomirski Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-10 2:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-10 2:01 UTC (permalink / raw) To: Andy Lutomirski Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-10 2:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-10 2:01 UTC (permalink / raw) To: Andy Lutomirski Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace 2016-06-09 22:52 ` Andy Lutomirski ` (2 preceding siblings ...) (?) @ 2016-06-14 2:27 ` Andy Lutomirski -1 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-14 2:27 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I poked at it a bit and this seems to work correctly. selftests/x86/ptrace_syscall.c exercises PTRACE_SYSCALL_EMU pretty well, and it still passes. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-14 2:27 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-14 2:27 UTC (permalink / raw) To: linux-arm-kernel On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86 at kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I poked at it a bit and this seems to work correctly. selftests/x86/ptrace_syscall.c exercises PTRACE_SYSCALL_EMU pretty well, and it still passes. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-14 2:27 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-14 2:27 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I poked at it a bit and this seems to work correctly. selftests/x86/ptrace_syscall.c exercises PTRACE_SYSCALL_EMU pretty well, and it still passes. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-14 2:27 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-14 2:27 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I poked at it a bit and this seems to work correctly. selftests/x86/ptrace_syscall.c exercises PTRACE_SYSCALL_EMU pretty well, and it still passes. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace @ 2016-06-14 2:27 ` Andy Lutomirski 0 siblings, 0 replies; 96+ messages in thread From: Andy Lutomirski @ 2016-06-14 2:27 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, X86 ML, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@kernel.org> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: x86@kernel.org >> Cc: Andy Lutomirski <luto@kernel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I poked at it a bit and this seems to work correctly. selftests/x86/ptrace_syscall.c exercises PTRACE_SYSCALL_EMU pretty well, and it still passes. --Andy ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 07/14] arm/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Russell King, linux-arm-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Russell King <linux@armlinux.org.uk> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ad5e90ab165c..dc7b372872ff 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -932,18 +932,19 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) { current_thread_info()->syscall = scno; - /* Do the secure computing check first; failures should be fast. */ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + + /* Do seccomp after ptrace; syscall may have changed. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ - secure_computing_strict(scno); + secure_computing_strict(current_thread_info()->syscall); #endif - if (test_thread_flag(TIF_SYSCALL_TRACE)) - tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); - + /* Tracer or seccomp may have changed syscall. */ scno = current_thread_info()->syscall; if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 07/14] arm/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Russell King <linux@armlinux.org.uk> Cc: linux-arm-kernel at lists.infradead.org --- arch/arm/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ad5e90ab165c..dc7b372872ff 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -932,18 +932,19 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) { current_thread_info()->syscall = scno; - /* Do the secure computing check first; failures should be fast. */ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + + /* Do seccomp after ptrace; syscall may have changed. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ - secure_computing_strict(scno); + secure_computing_strict(current_thread_info()->syscall); #endif - if (test_thread_flag(TIF_SYSCALL_TRACE)) - tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); - + /* Tracer or seccomp may have changed syscall. */ scno = current_thread_info()->syscall; if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 07/14] arm/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Russell King, linux-arm-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Russell King <linux@armlinux.org.uk> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ad5e90ab165c..dc7b372872ff 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -932,18 +932,19 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) { current_thread_info()->syscall = scno; - /* Do the secure computing check first; failures should be fast. */ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + + /* Do seccomp after ptrace; syscall may have changed. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ - secure_computing_strict(scno); + secure_computing_strict(current_thread_info()->syscall); #endif - if (test_thread_flag(TIF_SYSCALL_TRACE)) - tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); - + /* Tracer or seccomp may have changed syscall. */ scno = current_thread_info()->syscall; if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 07/14] arm/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Russell King, linux-arm-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Russell King <linux@armlinux.org.uk> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index ad5e90ab165c..dc7b372872ff 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -932,18 +932,19 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) { current_thread_info()->syscall = scno; - /* Do the secure computing check first; failures should be fast. */ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + + /* Do seccomp after ptrace; syscall may have changed. */ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER if (secure_computing(NULL) == -1) return -1; #else /* XXX: remove this once OABI gets fixed */ - secure_computing_strict(scno); + secure_computing_strict(current_thread_info()->syscall); #endif - if (test_thread_flag(TIF_SYSCALL_TRACE)) - tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); - + /* Tracer or seccomp may have changed syscall. */ scno = current_thread_info()->syscall; if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 08/14] arm64/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Catalin Marinas, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Benjamin Herrenschmidt, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm64/kernel/ptrace.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6e2cf046615d..602316c97a47 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1246,13 +1246,13 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + /* Do the secure computing after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 08/14] arm64/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Catalin Marinas, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Benjamin Herrenschmidt, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm64/kernel/ptrace.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6e2cf046615d..602316c97a47 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1246,13 +1246,13 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + /* Do the secure computing after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 08/14] arm64/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-arm-kernel at lists.infradead.org --- arch/arm64/kernel/ptrace.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6e2cf046615d..602316c97a47 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1246,13 +1246,13 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + /* Do the secure computing after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 08/14] arm64/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Catalin Marinas, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Benjamin Herrenschmidt, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm64/kernel/ptrace.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6e2cf046615d..602316c97a47 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1246,13 +1246,13 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + /* Do the secure computing after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 08/14] arm64/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Catalin Marinas, Will Deacon, Mark Rutland, linux-arm-kernel, Andy Lutomirski, Benjamin Herrenschmidt, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-arm-kernel@lists.infradead.org --- arch/arm64/kernel/ptrace.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6e2cf046615d..602316c97a47 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1246,13 +1246,13 @@ static void tracehook_report_syscall(struct pt_regs *regs, asmlinkage int syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); + /* Do the secure computing after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 09/14] MIPS/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:01 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Ralf Baechle, Maciej W. Rozycki, James Hogan, linux-mips, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, Jeff Dike, linux-arch, linux-arm-kernel, linux-parisc, linuxppc-dev, linux-s390, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Richard Weinberger, Russell King Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: "Maciej W. Rozycki" <macro@imgtec.com> Cc: James Hogan <james.hogan@imgtec.com> Cc: linux-mips@linux-mips.org --- arch/mips/kernel/ptrace.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c50af846ecf9..6103b24d1bfc 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -888,17 +888,16 @@ long arch_ptrace(struct task_struct *child, long request, */ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) { - long ret = 0; user_exit(); current_thread_info()->syscall = syscall; - if (secure_computing(NULL) == -1) - return -1; ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 09/14] MIPS/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: "Maciej W. Rozycki" <macro@imgtec.com> Cc: James Hogan <james.hogan@imgtec.com> Cc: linux-mips at linux-mips.org --- arch/mips/kernel/ptrace.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c50af846ecf9..6103b24d1bfc 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -888,17 +888,16 @@ long arch_ptrace(struct task_struct *child, long request, */ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) { - long ret = 0; user_exit(); current_thread_info()->syscall = syscall; - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) - ret = -1; + return -1; + + if (secure_computing(NULL) == -1) + return -1; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->regs[2]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 09/14] MIPS/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Ralf Baechle, Maciej W. Rozycki, James Hogan, linux-mips, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, Jeff Dike, linux-arch, linux-arm-kernel, linux-parisc, linuxppc-dev, linux-s390, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Richard Weinberger, Russell King Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: "Maciej W. Rozycki" <macro@imgtec.com> Cc: James Hogan <james.hogan@imgtec.com> Cc: linux-mips@linux-mips.org --- arch/mips/kernel/ptrace.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c50af846ecf9..6103b24d1bfc 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -888,17 +888,16 @@ long arch_ptrace(struct task_struct *child, long request, */ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) { - long ret = 0; user_exit(); current_thread_info()->syscall = syscall; - if (secure_computing(NULL) == -1) - return -1; ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 09/14] MIPS/ptrace: run seccomp after ptrace @ 2016-06-09 21:01 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:01 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Ralf Baechle, Maciej W. Rozycki, James Hogan, linux-mips, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, Jeff Dike, linux-arch, linux-arm-kernel, linux-parisc, linuxppc-dev, linux-s390, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: "Maciej W. Rozycki" <macro@imgtec.com> Cc: James Hogan <james.hogan@imgtec.com> Cc: linux-mips@linux-mips.org --- arch/mips/kernel/ptrace.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c50af846ecf9..6103b24d1bfc 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -888,17 +888,16 @@ long arch_ptrace(struct task_struct *child, long request, */ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) { - long ret = 0; user_exit(); current_thread_info()->syscall = syscall; - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) - ret = -1; + return -1; + + if (secure_computing(NULL) == -1) + return -1; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->regs[2]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 10/14] parisc/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:02 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc@vger.kernel.org --- arch/parisc/kernel/ptrace.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index 8edc47c0b98e..e02d7b4d2b69 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,10 +311,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) { /* @@ -325,6 +321,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gr[20] = -1UL; goto out; } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL) == -1) + return -1; + #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gr[20]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 10/14] parisc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc@vger.kernel.org --- arch/parisc/kernel/ptrace.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index 8edc47c0b98e..e02d7b4d2b69 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,10 +311,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) { /* @@ -325,6 +321,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gr[20] = -1UL; goto out; } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL) == -1) + return -1; + #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gr[20]); -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 10/14] parisc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc at vger.kernel.org --- arch/parisc/kernel/ptrace.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index 8edc47c0b98e..e02d7b4d2b69 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,10 +311,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) { /* @@ -325,6 +321,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gr[20] = -1UL; goto out; } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL) == -1) + return -1; + #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gr[20]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 10/14] parisc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc@vger.kernel.org --- arch/parisc/kernel/ptrace.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index 8edc47c0b98e..e02d7b4d2b69 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,10 +311,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) { /* @@ -325,6 +321,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gr[20] = -1UL; goto out; } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL) == -1) + return -1; + #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gr[20]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 10/14] parisc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, James E.J. Bottomley, Helge Deller, linux-parisc, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc@vger.kernel.org --- arch/parisc/kernel/ptrace.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index 8edc47c0b98e..e02d7b4d2b69 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,10 +311,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, long do_syscall_trace_enter(struct pt_regs *regs) { - /* Do the secure computing check first. */ - if (secure_computing(NULL) == -1) - return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) { /* @@ -325,6 +321,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gr[20] = -1UL; goto out; } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL) == -1) + return -1; + #ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gr[20]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:02 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: linux-s390@vger.kernel.org --- arch/s390/kernel/ptrace.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index c238e9958c2a..cea17010448f 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -821,15 +821,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) { - long ret = 0; - - /* Do the secure computing check first. */ - if (secure_computing(NULL)) { - /* seccomp failures shouldn't expose any additional code. */ - ret = -1; - goto out; - } - /* * The sysc_tracesys code in entry.S stored the system * call number to gprs[2]. @@ -843,7 +834,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) * the system call and the system call restart handling. */ clear_pt_regs_flag(regs, PIF_SYSCALL); - ret = -1; + return -1; + } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL)) { + /* seccomp failures shouldn't expose any additional code. */ + return -1; } if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) @@ -852,8 +849,8 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, regs->gprs[3], regs->gprs[4], regs->gprs[5]); -out: - return ret ?: regs->gprs[2]; + + return regs->gprs[2]; } asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: linux-s390@vger.kernel.org --- arch/s390/kernel/ptrace.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index c238e9958c2a..cea17010448f 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -821,15 +821,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) { - long ret = 0; - - /* Do the secure computing check first. */ - if (secure_computing(NULL)) { - /* seccomp failures shouldn't expose any additional code. */ - ret = -1; - goto out; - } - /* * The sysc_tracesys code in entry.S stored the system * call number to gprs[2]. @@ -843,7 +834,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) * the system call and the system call restart handling. */ clear_pt_regs_flag(regs, PIF_SYSCALL); - ret = -1; + return -1; + } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL)) { + /* seccomp failures shouldn't expose any additional code. */ + return -1; } if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) @@ -852,8 +849,8 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, regs->gprs[3], regs->gprs[4], regs->gprs[5]); -out: - return ret ?: regs->gprs[2]; + + return regs->gprs[2]; } asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: linux-s390 at vger.kernel.org --- arch/s390/kernel/ptrace.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index c238e9958c2a..cea17010448f 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -821,15 +821,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) { - long ret = 0; - - /* Do the secure computing check first. */ - if (secure_computing(NULL)) { - /* seccomp failures shouldn't expose any additional code. */ - ret = -1; - goto out; - } - /* * The sysc_tracesys code in entry.S stored the system * call number to gprs[2]. @@ -843,7 +834,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) * the system call and the system call restart handling. */ clear_pt_regs_flag(regs, PIF_SYSCALL); - ret = -1; + return -1; + } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL)) { + /* seccomp failures shouldn't expose any additional code. */ + return -1; } if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) @@ -852,8 +849,8 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, regs->gprs[3], regs->gprs[4], regs->gprs[5]); -out: - return ret ?: regs->gprs[2]; + + return regs->gprs[2]; } asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: linux-s390@vger.kernel.org --- arch/s390/kernel/ptrace.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index c238e9958c2a..cea17010448f 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -821,15 +821,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) { - long ret = 0; - - /* Do the secure computing check first. */ - if (secure_computing(NULL)) { - /* seccomp failures shouldn't expose any additional code. */ - ret = -1; - goto out; - } - /* * The sysc_tracesys code in entry.S stored the system * call number to gprs[2]. @@ -843,7 +834,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) * the system call and the system call restart handling. */ clear_pt_regs_flag(regs, PIF_SYSCALL); - ret = -1; + return -1; + } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL)) { + /* seccomp failures shouldn't expose any additional code. */ + return -1; } if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) @@ -852,8 +849,8 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, regs->gprs[3], regs->gprs[4], regs->gprs[5]); -out: - return ret ?: regs->gprs[2]; + + return regs->gprs[2]; } asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Heiko Carstens, Martin Schwidefsky, linux-s390, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, Maciej W. Rozycki, Mark Rutland, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: linux-s390@vger.kernel.org --- arch/s390/kernel/ptrace.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index c238e9958c2a..cea17010448f 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -821,15 +821,6 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) { - long ret = 0; - - /* Do the secure computing check first. */ - if (secure_computing(NULL)) { - /* seccomp failures shouldn't expose any additional code. */ - ret = -1; - goto out; - } - /* * The sysc_tracesys code in entry.S stored the system * call number to gprs[2]. @@ -843,7 +834,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) * the system call and the system call restart handling. */ clear_pt_regs_flag(regs, PIF_SYSCALL); - ret = -1; + return -1; + } + + /* Do the secure computing check after ptrace. */ + if (secure_computing(NULL)) { + /* seccomp failures shouldn't expose any additional code. */ + return -1; } if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) @@ -852,8 +849,8 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, regs->gprs[3], regs->gprs[4], regs->gprs[5]); -out: - return ret ?: regs->gprs[2]; + + return regs->gprs[2]; } asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* Re: [PATCH 11/14] s390/ptrace: run seccomp after ptrace 2016-06-09 21:02 ` Kees Cook (?) @ 2016-06-10 10:51 ` Martin Schwidefsky -1 siblings, 0 replies; 96+ messages in thread From: Martin Schwidefsky @ 2016-06-10 10:51 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Heiko Carstens, linux-s390, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, Maciej W. Rozycki, Mark Rutland, Michael Ellerman, Paul Mackerras, Ralf Baechle, Ri On Thu, 9 Jun 2016 14:02:01 -0700 Kees Cook <keescook@chromium.org> wrote: > Close the hole where ptrace can change a syscall out from under seccomp. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Heiko Carstens <heiko.carstens@de.ibm.com> > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> > Cc: linux-s390@vger.kernel.org > --- > arch/s390/kernel/ptrace.c | 21 +++++++++------------ > 1 file changed, 9 insertions(+), 12 deletions(-) If the change in semantics in regard to the audit of skipped system calls is acceptable, the modified s390 arch code is ok. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin. ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-10 10:51 ` Martin Schwidefsky 0 siblings, 0 replies; 96+ messages in thread From: Martin Schwidefsky @ 2016-06-10 10:51 UTC (permalink / raw) To: linux-arm-kernel On Thu, 9 Jun 2016 14:02:01 -0700 Kees Cook <keescook@chromium.org> wrote: > Close the hole where ptrace can change a syscall out from under seccomp. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Heiko Carstens <heiko.carstens@de.ibm.com> > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> > Cc: linux-s390 at vger.kernel.org > --- > arch/s390/kernel/ptrace.c | 21 +++++++++------------ > 1 file changed, 9 insertions(+), 12 deletions(-) If the change in semantics in regard to the audit of skipped system calls is acceptable, the modified s390 arch code is ok. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 11/14] s390/ptrace: run seccomp after ptrace @ 2016-06-10 10:51 ` Martin Schwidefsky 0 siblings, 0 replies; 96+ messages in thread From: Martin Schwidefsky @ 2016-06-10 10:51 UTC (permalink / raw) To: Kees Cook Cc: linux-kernel, Heiko Carstens, linux-s390, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, Maciej W. Rozycki, Mark Rutland, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 On Thu, 9 Jun 2016 14:02:01 -0700 Kees Cook <keescook@chromium.org> wrote: > Close the hole where ptrace can change a syscall out from under seccomp. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Heiko Carstens <heiko.carstens@de.ibm.com> > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> > Cc: linux-s390@vger.kernel.org > --- > arch/s390/kernel/ptrace.c | 21 +++++++++------------ > 1 file changed, 9 insertions(+), 12 deletions(-) If the change in semantics in regard to the audit of skipped system calls is acceptable, the modified s390 arch code is ok. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin. ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 12/14] powerpc/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook (?) (?) @ 2016-06-09 21:02 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Michael Ellerman, Benjamin Herrenschmidt, Paul Mackerras, linuxppc-dev, Andy Lutomirski, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Ralf Baechle, Richard Weinberger, Russell King Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: linuxppc-dev@lists.ozlabs.org --- arch/powerpc/kernel/ptrace.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index ed799e994773..5dc47ebb3840 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1788,7 +1788,7 @@ static int do_seccomp(struct pt_regs *regs) /* * The syscall was allowed by seccomp, restore the register - * state to what ptrace and audit expect. + * state to what audit expects. * Note that we use orig_gpr3, which means a seccomp tracer can * modify the first syscall parameter (in orig_gpr3) and also * allow the syscall to proceed. @@ -1822,22 +1822,25 @@ static inline int do_seccomp(struct pt_regs *regs) { return 0; } */ long do_syscall_trace_enter(struct pt_regs *regs) { - bool abort = false; - user_exit(); + /* + * The tracer may decide to abort the syscall, if so tracehook + * will return !0. Note that the tracer may also just change + * regs->gpr[0] to an invalid syscall number, that is handled + * below on the exit path. + */ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + goto skip; + + /* Run seccomp after ptrace; allow it to set gpr[3]. */ if (do_seccomp(regs)) return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) { - /* - * The tracer may decide to abort the syscall, if so tracehook - * will return !0. Note that the tracer may also just change - * regs->gpr[0] to an invalid syscall number, that is handled - * below on the exit path. - */ - abort = tracehook_report_syscall_entry(regs) != 0; - } + /* Avoid trace and audit when syscall is invalid. */ + if (regs->gpr[0] >= NR_syscalls) + goto skip; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gpr[0]); @@ -1854,17 +1857,16 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gpr[5] & 0xffffffff, regs->gpr[6] & 0xffffffff); - if (abort || regs->gpr[0] >= NR_syscalls) { - /* - * If we are aborting explicitly, or if the syscall number is - * now invalid, set the return value to -ENOSYS. - */ - regs->gpr[3] = -ENOSYS; - return -1; - } - /* Return the possibly modified but valid syscall number */ return regs->gpr[0]; + +skip: + /* + * If we are aborting explicitly, or if the syscall number is + * now invalid, set the return value to -ENOSYS. + */ + regs->gpr[3] = -ENOSYS; + return -1; } void do_syscall_trace_leave(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 12/14] powerpc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: linuxppc-dev at lists.ozlabs.org --- arch/powerpc/kernel/ptrace.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index ed799e994773..5dc47ebb3840 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1788,7 +1788,7 @@ static int do_seccomp(struct pt_regs *regs) /* * The syscall was allowed by seccomp, restore the register - * state to what ptrace and audit expect. + * state to what audit expects. * Note that we use orig_gpr3, which means a seccomp tracer can * modify the first syscall parameter (in orig_gpr3) and also * allow the syscall to proceed. @@ -1822,22 +1822,25 @@ static inline int do_seccomp(struct pt_regs *regs) { return 0; } */ long do_syscall_trace_enter(struct pt_regs *regs) { - bool abort = false; - user_exit(); + /* + * The tracer may decide to abort the syscall, if so tracehook + * will return !0. Note that the tracer may also just change + * regs->gpr[0] to an invalid syscall number, that is handled + * below on the exit path. + */ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + goto skip; + + /* Run seccomp after ptrace; allow it to set gpr[3]. */ if (do_seccomp(regs)) return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) { - /* - * The tracer may decide to abort the syscall, if so tracehook - * will return !0. Note that the tracer may also just change - * regs->gpr[0] to an invalid syscall number, that is handled - * below on the exit path. - */ - abort = tracehook_report_syscall_entry(regs) != 0; - } + /* Avoid trace and audit when syscall is invalid. */ + if (regs->gpr[0] >= NR_syscalls) + goto skip; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gpr[0]); @@ -1854,17 +1857,16 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gpr[5] & 0xffffffff, regs->gpr[6] & 0xffffffff); - if (abort || regs->gpr[0] >= NR_syscalls) { - /* - * If we are aborting explicitly, or if the syscall number is - * now invalid, set the return value to -ENOSYS. - */ - regs->gpr[3] = -ENOSYS; - return -1; - } - /* Return the possibly modified but valid syscall number */ return regs->gpr[0]; + +skip: + /* + * If we are aborting explicitly, or if the syscall number is + * now invalid, set the return value to -ENOSYS. + */ + regs->gpr[3] = -ENOSYS; + return -1; } void do_syscall_trace_leave(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 12/14] powerpc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Michael Ellerman, Benjamin Herrenschmidt, Paul Mackerras, linuxppc-dev, Andy Lutomirski, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Ralf Baechle, Richard Weinberger, Russell King Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: linuxppc-dev@lists.ozlabs.org --- arch/powerpc/kernel/ptrace.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index ed799e994773..5dc47ebb3840 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1788,7 +1788,7 @@ static int do_seccomp(struct pt_regs *regs) /* * The syscall was allowed by seccomp, restore the register - * state to what ptrace and audit expect. + * state to what audit expects. * Note that we use orig_gpr3, which means a seccomp tracer can * modify the first syscall parameter (in orig_gpr3) and also * allow the syscall to proceed. @@ -1822,22 +1822,25 @@ static inline int do_seccomp(struct pt_regs *regs) { return 0; } */ long do_syscall_trace_enter(struct pt_regs *regs) { - bool abort = false; - user_exit(); + /* + * The tracer may decide to abort the syscall, if so tracehook + * will return !0. Note that the tracer may also just change + * regs->gpr[0] to an invalid syscall number, that is handled + * below on the exit path. + */ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + goto skip; + + /* Run seccomp after ptrace; allow it to set gpr[3]. */ if (do_seccomp(regs)) return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) { - /* - * The tracer may decide to abort the syscall, if so tracehook - * will return !0. Note that the tracer may also just change - * regs->gpr[0] to an invalid syscall number, that is handled - * below on the exit path. - */ - abort = tracehook_report_syscall_entry(regs) != 0; - } + /* Avoid trace and audit when syscall is invalid. */ + if (regs->gpr[0] >= NR_syscalls) + goto skip; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gpr[0]); @@ -1854,17 +1857,16 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gpr[5] & 0xffffffff, regs->gpr[6] & 0xffffffff); - if (abort || regs->gpr[0] >= NR_syscalls) { - /* - * If we are aborting explicitly, or if the syscall number is - * now invalid, set the return value to -ENOSYS. - */ - regs->gpr[3] = -ENOSYS; - return -1; - } - /* Return the possibly modified but valid syscall number */ return regs->gpr[0]; + +skip: + /* + * If we are aborting explicitly, or if the syscall number is + * now invalid, set the return value to -ENOSYS. + */ + regs->gpr[3] = -ENOSYS; + return -1; } void do_syscall_trace_leave(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 12/14] powerpc/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Michael Ellerman, Benjamin Herrenschmidt, Paul Mackerras, linuxppc-dev, Andy Lutomirski, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: linuxppc-dev@lists.ozlabs.org --- arch/powerpc/kernel/ptrace.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index ed799e994773..5dc47ebb3840 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1788,7 +1788,7 @@ static int do_seccomp(struct pt_regs *regs) /* * The syscall was allowed by seccomp, restore the register - * state to what ptrace and audit expect. + * state to what audit expects. * Note that we use orig_gpr3, which means a seccomp tracer can * modify the first syscall parameter (in orig_gpr3) and also * allow the syscall to proceed. @@ -1822,22 +1822,25 @@ static inline int do_seccomp(struct pt_regs *regs) { return 0; } */ long do_syscall_trace_enter(struct pt_regs *regs) { - bool abort = false; - user_exit(); + /* + * The tracer may decide to abort the syscall, if so tracehook + * will return !0. Note that the tracer may also just change + * regs->gpr[0] to an invalid syscall number, that is handled + * below on the exit path. + */ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + goto skip; + + /* Run seccomp after ptrace; allow it to set gpr[3]. */ if (do_seccomp(regs)) return -1; - if (test_thread_flag(TIF_SYSCALL_TRACE)) { - /* - * The tracer may decide to abort the syscall, if so tracehook - * will return !0. Note that the tracer may also just change - * regs->gpr[0] to an invalid syscall number, that is handled - * below on the exit path. - */ - abort = tracehook_report_syscall_entry(regs) != 0; - } + /* Avoid trace and audit when syscall is invalid. */ + if (regs->gpr[0] >= NR_syscalls) + goto skip; if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs->gpr[0]); @@ -1854,17 +1857,16 @@ long do_syscall_trace_enter(struct pt_regs *regs) regs->gpr[5] & 0xffffffff, regs->gpr[6] & 0xffffffff); - if (abort || regs->gpr[0] >= NR_syscalls) { - /* - * If we are aborting explicitly, or if the syscall number is - * now invalid, set the return value to -ENOSYS. - */ - regs->gpr[3] = -ENOSYS; - return -1; - } - /* Return the possibly modified but valid syscall number */ return regs->gpr[0]; + +skip: + /* + * If we are aborting explicitly, or if the syscall number is + * now invalid, set the return value to -ENOSYS. + */ + regs->gpr[3] = -ENOSYS; + return -1; } void do_syscall_trace_leave(struct pt_regs *regs) -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 13/14] tile/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:02 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Chris Metcalf <cmetcalf@mellanox.com> --- arch/tile/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 8c6d2f2fefa3..d89b7011667c 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,14 +255,15 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing(NULL) == -1) + if ((work & _TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) { + regs->regs[TREG_SYSCALL_NR] = -1; return -1; - - if (work & _TIF_SYSCALL_TRACE) { - if (tracehook_report_syscall_entry(regs)) - regs->regs[TREG_SYSCALL_NR] = -1; } + if (secure_computing(NULL) == -1) + return -1; + if (work & _TIF_SYSCALL_TRACEPOINT) trace_sys_enter(regs, regs->regs[TREG_SYSCALL_NR]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 13/14] tile/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Chris Metcalf <cmetcalf@mellanox.com> --- arch/tile/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 8c6d2f2fefa3..d89b7011667c 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,14 +255,15 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing(NULL) == -1) + if ((work & _TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) { + regs->regs[TREG_SYSCALL_NR] = -1; return -1; - - if (work & _TIF_SYSCALL_TRACE) { - if (tracehook_report_syscall_entry(regs)) - regs->regs[TREG_SYSCALL_NR] = -1; } + if (secure_computing(NULL) == -1) + return -1; + if (work & _TIF_SYSCALL_TRACEPOINT) trace_sys_enter(regs, regs->regs[TREG_SYSCALL_NR]); -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 13/14] tile/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Chris Metcalf <cmetcalf@mellanox.com> --- arch/tile/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 8c6d2f2fefa3..d89b7011667c 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,14 +255,15 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing(NULL) == -1) + if ((work & _TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) { + regs->regs[TREG_SYSCALL_NR] = -1; return -1; - - if (work & _TIF_SYSCALL_TRACE) { - if (tracehook_report_syscall_entry(regs)) - regs->regs[TREG_SYSCALL_NR] = -1; } + if (secure_computing(NULL) == -1) + return -1; + if (work & _TIF_SYSCALL_TRACEPOINT) trace_sys_enter(regs, regs->regs[TREG_SYSCALL_NR]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 13/14] tile/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Benjamin Herrenschmidt, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Catalin Marinas, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Chris Metcalf <cmetcalf@mellanox.com> --- arch/tile/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 8c6d2f2fefa3..d89b7011667c 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,14 +255,15 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing(NULL) == -1) + if ((work & _TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) { + regs->regs[TREG_SYSCALL_NR] = -1; return -1; - - if (work & _TIF_SYSCALL_TRACE) { - if (tracehook_report_syscall_entry(regs)) - regs->regs[TREG_SYSCALL_NR] = -1; } + if (secure_computing(NULL) == -1) + return -1; + if (work & _TIF_SYSCALL_TRACEPOINT) trace_sys_enter(regs, regs->regs[TREG_SYSCALL_NR]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 13/14] tile/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Chris Metcalf, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Chris Metcalf <cmetcalf@mellanox.com> --- arch/tile/kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c index 8c6d2f2fefa3..d89b7011667c 100644 --- a/arch/tile/kernel/ptrace.c +++ b/arch/tile/kernel/ptrace.c @@ -255,14 +255,15 @@ int do_syscall_trace_enter(struct pt_regs *regs) { u32 work = ACCESS_ONCE(current_thread_info()->flags); - if (secure_computing(NULL) == -1) + if ((work & _TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) { + regs->regs[TREG_SYSCALL_NR] = -1; return -1; - - if (work & _TIF_SYSCALL_TRACE) { - if (tracehook_report_syscall_entry(regs)) - regs->regs[TREG_SYSCALL_NR] = -1; } + if (secure_computing(NULL) == -1) + return -1; + if (work & _TIF_SYSCALL_TRACEPOINT) trace_sys_enter(regs, regs->regs[TREG_SYSCALL_NR]); -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 14/14] um/ptrace: run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-09 21:02 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Jeff Dike, Richard Weinberger, user-mode-linux-devel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel@lists.sourceforge.net --- arch/um/kernel/skas/syscall.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 9c5570f0f397..ef4b8f949b51 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -20,12 +20,12 @@ void handle_syscall(struct uml_pt_regs *r) UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) + if (syscall_trace_enter(regs)) return; - if (syscall_trace_enter(regs)) - goto out; + /* Do the seccomp check after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return; /* Update the syscall number after orig_ax has potentially been updated * with ptrace. @@ -37,6 +37,5 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, EXECUTE_SYSCALL(syscall, regs)); -out: syscall_trace_leave(regs); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 14/14] um/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Mark Rutland, linux-mips, Catalin Marinas, Heiko Carstens, Russell King, Paul Mackerras, Chris Metcalf, linux-arch, linux-s390, Michael Ellerman, Helge Deller, x86, James E.J. Bottomley, Benjamin Herrenschmidt, James Hogan, Kees Cook, user-mode-linux-devel, Will Deacon, Jeff Dike, Andy Lutomirski, linux-arm-kernel, linux-parisc, Ralf Baechle, Richard Weinberger, Martin Schwidefsky, Maciej W. Rozycki, linuxppc-dev Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel@lists.sourceforge.net --- arch/um/kernel/skas/syscall.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 9c5570f0f397..ef4b8f949b51 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -20,12 +20,12 @@ void handle_syscall(struct uml_pt_regs *r) UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) + if (syscall_trace_enter(regs)) return; - if (syscall_trace_enter(regs)) - goto out; + /* Do the seccomp check after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return; /* Update the syscall number after orig_ax has potentially been updated * with ptrace. @@ -37,6 +37,5 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, EXECUTE_SYSCALL(syscall, regs)); -out: syscall_trace_leave(regs); } -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 14/14] um/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-arm-kernel Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel at lists.sourceforge.net --- arch/um/kernel/skas/syscall.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 9c5570f0f397..ef4b8f949b51 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -20,12 +20,12 @@ void handle_syscall(struct uml_pt_regs *r) UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) + if (syscall_trace_enter(regs)) return; - if (syscall_trace_enter(regs)) - goto out; + /* Do the seccomp check after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return; /* Update the syscall number after orig_ax has potentially been updated * with ptrace. @@ -37,6 +37,5 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, EXECUTE_SYSCALL(syscall, regs)); -out: syscall_trace_leave(regs); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 14/14] um/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Jeff Dike, Richard Weinberger, user-mode-linux-devel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel@lists.sourceforge.net --- arch/um/kernel/skas/syscall.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 9c5570f0f397..ef4b8f949b51 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -20,12 +20,12 @@ void handle_syscall(struct uml_pt_regs *r) UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) + if (syscall_trace_enter(regs)) return; - if (syscall_trace_enter(regs)) - goto out; + /* Do the seccomp check after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return; /* Update the syscall number after orig_ax has potentially been updated * with ptrace. @@ -37,6 +37,5 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, EXECUTE_SYSCALL(syscall, regs)); -out: syscall_trace_leave(regs); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* [PATCH 14/14] um/ptrace: run seccomp after ptrace @ 2016-06-09 21:02 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-09 21:02 UTC (permalink / raw) To: linux-kernel Cc: Kees Cook, Jeff Dike, Richard Weinberger, user-mode-linux-devel, Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, linux-arch, linux-arm-kernel, linux-mips, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Russell King, Will Deacon, x86 Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel@lists.sourceforge.net --- arch/um/kernel/skas/syscall.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c index 9c5570f0f397..ef4b8f949b51 100644 --- a/arch/um/kernel/skas/syscall.c +++ b/arch/um/kernel/skas/syscall.c @@ -20,12 +20,12 @@ void handle_syscall(struct uml_pt_regs *r) UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); - /* Do the secure computing check first; failures should be fast. */ - if (secure_computing(NULL) == -1) + if (syscall_trace_enter(regs)) return; - if (syscall_trace_enter(regs)) - goto out; + /* Do the seccomp check after ptrace; failures should be fast. */ + if (secure_computing(NULL) == -1) + return; /* Update the syscall number after orig_ax has potentially been updated * with ptrace. @@ -37,6 +37,5 @@ void handle_syscall(struct uml_pt_regs *r) PT_REGS_SET_SYSCALL_RETURN(regs, EXECUTE_SYSCALL(syscall, regs)); -out: syscall_trace_leave(regs); } -- 2.7.4 ^ permalink raw reply related [flat|nested] 96+ messages in thread
* Re: [PATCH 00/14] run seccomp after ptrace 2016-06-09 21:01 ` Kees Cook ` (2 preceding siblings ...) (?) @ 2016-06-13 20:50 ` Kees Cook -1 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-13 20:50 UTC (permalink / raw) To: LKML Cc: Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul (Oops, forgot to send this series through the lsm list...) On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > There has been a long-standing (and documented) issue with seccomp > where ptrace can be used to change a syscall out from under seccomp. > This is a problem for containers and other wider seccomp filtered > environments where ptrace needs to remain available, as it allows > for an escape of the seccomp filter. > > Since the ptrace attack surface is available for any allowed syscall, > moving seccomp after ptrace doesn't increase the actually available > attack surface. And this actually improves tracing since, for > example, tracers will be notified of syscall entry before seccomp > sends a SIGSYS, which makes debugging filters much easier. > > The per-architecture changes do make one (hopefully small) > semantic change, which is that since ptrace comes first, it may > request a syscall be skipped. Running seccomp after this doesn't > make sense, so if ptrace wants to skip a syscall, it will bail > out early similarly to how seccomp was. This means that skipped > syscalls will not be fed through audit, though that likely means > we're actually avoiding noise this way. > > This series first cleans up seccomp to remove the now unneeded > two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the > ptrace hole above), and then reorders seccomp after ptrace on > each architecture. Has anyone else had a chance to review this series? I'd like to get it landed in -next as early as possible in case there are unexpected problems... -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* [PATCH 00/14] run seccomp after ptrace @ 2016-06-13 20:50 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-13 20:50 UTC (permalink / raw) To: linux-arm-kernel (Oops, forgot to send this series through the lsm list...) On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > There has been a long-standing (and documented) issue with seccomp > where ptrace can be used to change a syscall out from under seccomp. > This is a problem for containers and other wider seccomp filtered > environments where ptrace needs to remain available, as it allows > for an escape of the seccomp filter. > > Since the ptrace attack surface is available for any allowed syscall, > moving seccomp after ptrace doesn't increase the actually available > attack surface. And this actually improves tracing since, for > example, tracers will be notified of syscall entry before seccomp > sends a SIGSYS, which makes debugging filters much easier. > > The per-architecture changes do make one (hopefully small) > semantic change, which is that since ptrace comes first, it may > request a syscall be skipped. Running seccomp after this doesn't > make sense, so if ptrace wants to skip a syscall, it will bail > out early similarly to how seccomp was. This means that skipped > syscalls will not be fed through audit, though that likely means > we're actually avoiding noise this way. > > This series first cleans up seccomp to remove the now unneeded > two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the > ptrace hole above), and then reorders seccomp after ptrace on > each architecture. Has anyone else had a chance to review this series? I'd like to get it landed in -next as early as possible in case there are unexpected problems... -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 00/14] run seccomp after ptrace @ 2016-06-13 20:50 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-13 20:50 UTC (permalink / raw) To: LKML Cc: Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86, linux-security-module (Oops, forgot to send this series through the lsm list...) On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > There has been a long-standing (and documented) issue with seccomp > where ptrace can be used to change a syscall out from under seccomp. > This is a problem for containers and other wider seccomp filtered > environments where ptrace needs to remain available, as it allows > for an escape of the seccomp filter. > > Since the ptrace attack surface is available for any allowed syscall, > moving seccomp after ptrace doesn't increase the actually available > attack surface. And this actually improves tracing since, for > example, tracers will be notified of syscall entry before seccomp > sends a SIGSYS, which makes debugging filters much easier. > > The per-architecture changes do make one (hopefully small) > semantic change, which is that since ptrace comes first, it may > request a syscall be skipped. Running seccomp after this doesn't > make sense, so if ptrace wants to skip a syscall, it will bail > out early similarly to how seccomp was. This means that skipped > syscalls will not be fed through audit, though that likely means > we're actually avoiding noise this way. > > This series first cleans up seccomp to remove the now unneeded > two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the > ptrace hole above), and then reorders seccomp after ptrace on > each architecture. Has anyone else had a chance to review this series? I'd like to get it landed in -next as early as possible in case there are unexpected problems... -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 00/14] run seccomp after ptrace @ 2016-06-13 20:50 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-13 20:50 UTC (permalink / raw) To: LKML Cc: Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul (Oops, forgot to send this series through the lsm list...) On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > There has been a long-standing (and documented) issue with seccomp > where ptrace can be used to change a syscall out from under seccomp. > This is a problem for containers and other wider seccomp filtered > environments where ptrace needs to remain available, as it allows > for an escape of the seccomp filter. > > Since the ptrace attack surface is available for any allowed syscall, > moving seccomp after ptrace doesn't increase the actually available > attack surface. And this actually improves tracing since, for > example, tracers will be notified of syscall entry before seccomp > sends a SIGSYS, which makes debugging filters much easier. > > The per-architecture changes do make one (hopefully small) > semantic change, which is that since ptrace comes first, it may > request a syscall be skipped. Running seccomp after this doesn't > make sense, so if ptrace wants to skip a syscall, it will bail > out early similarly to how seccomp was. This means that skipped > syscalls will not be fed through audit, though that likely means > we're actually avoiding noise this way. > > This series first cleans up seccomp to remove the now unneeded > two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the > ptrace hole above), and then reorders seccomp after ptrace on > each architecture. Has anyone else had a chance to review this series? I'd like to get it landed in -next as early as possible in case there are unexpected problems... -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: [PATCH 00/14] run seccomp after ptrace @ 2016-06-13 20:50 ` Kees Cook 0 siblings, 0 replies; 96+ messages in thread From: Kees Cook @ 2016-06-13 20:50 UTC (permalink / raw) To: LKML Cc: Andy Lutomirski, Benjamin Herrenschmidt, Catalin Marinas, Chris Metcalf, Heiko Carstens, Helge Deller, James E.J. Bottomley, James Hogan, Jeff Dike, linux-arch, linux-arm-kernel, Linux MIPS Mailing List, linux-parisc, linuxppc-dev, linux-s390, Maciej W. Rozycki, Mark Rutland, Martin Schwidefsky, Michael Ellerman, Paul Mackerras, Ralf Baechle, Richard Weinberger, Russell King, user-mode-linux-devel, Will Deacon, x86, linux-security-module (Oops, forgot to send this series through the lsm list...) On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@chromium.org> wrote: > There has been a long-standing (and documented) issue with seccomp > where ptrace can be used to change a syscall out from under seccomp. > This is a problem for containers and other wider seccomp filtered > environments where ptrace needs to remain available, as it allows > for an escape of the seccomp filter. > > Since the ptrace attack surface is available for any allowed syscall, > moving seccomp after ptrace doesn't increase the actually available > attack surface. And this actually improves tracing since, for > example, tracers will be notified of syscall entry before seccomp > sends a SIGSYS, which makes debugging filters much easier. > > The per-architecture changes do make one (hopefully small) > semantic change, which is that since ptrace comes first, it may > request a syscall be skipped. Running seccomp after this doesn't > make sense, so if ptrace wants to skip a syscall, it will bail > out early similarly to how seccomp was. This means that skipped > syscalls will not be fed through audit, though that likely means > we're actually avoiding noise this way. > > This series first cleans up seccomp to remove the now unneeded > two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the > ptrace hole above), and then reorders seccomp after ptrace on > each architecture. Has anyone else had a chance to review this series? I'd like to get it landed in -next as early as possible in case there are unexpected problems... -Kees -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 96+ messages in thread
end of thread, other threads:[~2016-06-14 2:28 UTC | newest] Thread overview: 96+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-06-09 21:01 [PATCH 00/14] run seccomp after ptrace Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 01/14] seccomp: add tests for ptrace hole Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 04/14] seccomp: remove 2-phase API Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 22:46 ` Andy Lutomirski 2016-06-09 22:46 ` Andy Lutomirski 2016-06-09 22:46 ` Andy Lutomirski 2016-06-09 22:46 ` Andy Lutomirski 2016-06-09 22:46 ` Andy Lutomirski 2016-06-09 21:01 ` [PATCH 06/14] x86/ptrace: run seccomp after ptrace Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 22:52 ` Andy Lutomirski 2016-06-09 22:52 ` Andy Lutomirski 2016-06-09 22:52 ` Andy Lutomirski 2016-06-09 22:52 ` Andy Lutomirski 2016-06-09 22:52 ` Andy Lutomirski 2016-06-10 2:01 ` Kees Cook 2016-06-10 2:01 ` Kees Cook 2016-06-10 2:01 ` Kees Cook 2016-06-10 2:01 ` Kees Cook 2016-06-10 2:01 ` Kees Cook 2016-06-14 2:27 ` Andy Lutomirski 2016-06-14 2:27 ` Andy Lutomirski 2016-06-14 2:27 ` Andy Lutomirski 2016-06-14 2:27 ` Andy Lutomirski 2016-06-14 2:27 ` Andy Lutomirski 2016-06-09 21:01 ` [PATCH 07/14] arm/ptrace: " Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 08/14] arm64/ptrace: " Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` [PATCH 09/14] MIPS/ptrace: " Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:01 ` Kees Cook 2016-06-09 21:02 ` [PATCH 10/14] parisc/ptrace: " Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` [PATCH 11/14] s390/ptrace: " Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-10 10:51 ` Martin Schwidefsky 2016-06-10 10:51 ` Martin Schwidefsky 2016-06-10 10:51 ` Martin Schwidefsky 2016-06-09 21:02 ` [PATCH 12/14] powerpc/ptrace: " Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` [PATCH 13/14] tile/ptrace: " Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` [PATCH 14/14] um/ptrace: " Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-09 21:02 ` Kees Cook 2016-06-13 20:50 ` [PATCH 00/14] " Kees Cook 2016-06-13 20:50 ` Kees Cook 2016-06-13 20:50 ` Kees Cook 2016-06-13 20:50 ` Kees Cook 2016-06-13 20:50 ` Kees Cook
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.