* [PATCH v6 0/2] Add kernel seccomp support for m68k @ 2021-06-24 0:45 Michael Schmitz 2021-06-24 0:45 ` [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave " Michael Schmitz 2021-06-24 0:46 ` [PATCH v6 2/2] m68k: add kernel seccomp support Michael Schmitz 0 siblings, 2 replies; 11+ messages in thread From: Michael Schmitz @ 2021-06-24 0:45 UTC (permalink / raw) To: linux-m68k, geert; +Cc: glaubitz, schwab Respin of m68k kernel seccomp support. The number of syscall arguments copied off the stack in syscall_get_arguments() is limited to 5. Need to figure out where to pull the last from, for the few six-argument syscalls. Cheers, Michael ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-24 0:45 [PATCH v6 0/2] Add kernel seccomp support for m68k Michael Schmitz @ 2021-06-24 0:45 ` Michael Schmitz 2021-06-28 7:25 ` Geert Uytterhoeven 2021-06-24 0:46 ` [PATCH v6 2/2] m68k: add kernel seccomp support Michael Schmitz 1 sibling, 1 reply; 11+ messages in thread From: Michael Schmitz @ 2021-06-24 0:45 UTC (permalink / raw) To: linux-m68k, geert; +Cc: glaubitz, schwab, Michael Schmitz m68k (other than Coldfire) uses syscall_trace for both trace entry and trace exit. Seccomp support requires separate entry points for trace entry and exit which are already provided for Coldfire. Replace syscall_trace by syscall_trace_enter and syscall_trace_leave in preparation for seccomp support. Check return code of syscall_trace_enter(), and skip syscall if -1. Return code will be left at what had been set by ptrace or seccomp (in regs->d0). No regression seen in testing with strace on ARAnyM. Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> -- Changes from v5: - add comment to explain optimization Changes from v4: Andreas Schwab: - optimize return code test (addql #1,%d0 for cmpil #-1,%d0) - spelling fix in commit message Changes from v3: - change syscall_trace_enter return code test from !=0 to ==-1 --- arch/m68k/kernel/entry.S | 8 +++++--- arch/m68k/kernel/ptrace.c | 17 ----------------- 2 files changed, 5 insertions(+), 20 deletions(-) diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S index 9dd76fb..d6f941d 100644 --- a/arch/m68k/kernel/entry.S +++ b/arch/m68k/kernel/entry.S @@ -164,9 +164,11 @@ do_trace_entry: movel #-ENOSYS,%sp@(PT_OFF_D0)| needed for strace subql #4,%sp SAVE_SWITCH_STACK - jbsr syscall_trace + jbsr syscall_trace_enter RESTORE_SWITCH_STACK addql #4,%sp + addql #1,%d0 | optimization for cmpil #-1,%d0 + jeq ret_from_syscall movel %sp@(PT_OFF_ORIG_D0),%d0 cmpl #NR_syscalls,%d0 jcs syscall @@ -177,7 +179,7 @@ badsys: do_trace_exit: subql #4,%sp SAVE_SWITCH_STACK - jbsr syscall_trace + jbsr syscall_trace_leave RESTORE_SWITCH_STACK addql #4,%sp jra .Lret_from_exception @@ -186,7 +188,7 @@ ENTRY(ret_from_signal) movel %curptr@(TASK_STACK),%a1 tstb %a1@(TINFO_FLAGS+2) jge 1f - jbsr syscall_trace + jbsr syscall_trace_leave 1: RESTORE_SWITCH_STACK addql #4,%sp /* on 68040 complete pending writebacks if any */ diff --git a/arch/m68k/kernel/ptrace.c b/arch/m68k/kernel/ptrace.c index 94b3b27..74d58a8 100644 --- a/arch/m68k/kernel/ptrace.c +++ b/arch/m68k/kernel/ptrace.c @@ -271,22 +271,6 @@ long arch_ptrace(struct task_struct *child, long request, return -EIO; } -asmlinkage void syscall_trace(void) -{ - ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) - ? 0x80 : 0)); - /* - * this isn't the same as continuing with a signal, but it will do - * for normal use. strace only continues with a signal if the - * stopping signal is not SIGTRAP. -brl - */ - if (current->exit_code) { - send_sig(current->exit_code, current, 1); - current->exit_code = 0; - } -} - -#if defined(CONFIG_COLDFIRE) || !defined(CONFIG_MMU) asmlinkage int syscall_trace_enter(void) { int ret = 0; @@ -301,4 +285,3 @@ asmlinkage void syscall_trace_leave(void) if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall_exit(task_pt_regs(current), 0); } -#endif /* CONFIG_COLDFIRE */ -- 2.7.4 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-24 0:45 ` [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave " Michael Schmitz @ 2021-06-28 7:25 ` Geert Uytterhoeven 2021-06-28 20:52 ` Michael Schmitz 2021-06-28 22:16 ` Michael Schmitz 0 siblings, 2 replies; 11+ messages in thread From: Geert Uytterhoeven @ 2021-06-28 7:25 UTC (permalink / raw) To: Michael Schmitz; +Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: > > m68k (other than Coldfire) uses syscall_trace for both trace entry > and trace exit. Seccomp support requires separate entry points for > trace entry and exit which are already provided for Coldfire. > > Replace syscall_trace by syscall_trace_enter and syscall_trace_leave > in preparation for seccomp support. Check return code of > syscall_trace_enter(), and skip syscall if -1. Return code will be > left at what had been set by ptrace or seccomp (in regs->d0). > > No regression seen in testing with strace on ARAnyM. > > Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> Thanks for your patch! > arch/m68k/kernel/entry.S | 8 +++++--- We need similar changes to arch/m68k/68000/entry.S and arch/m68k/coldfire/entry.S > arch/m68k/kernel/ptrace.c | 17 ----------------- > 2 files changed, 5 insertions(+), 20 deletions(-) Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-28 7:25 ` Geert Uytterhoeven @ 2021-06-28 20:52 ` Michael Schmitz 2021-06-28 22:16 ` Michael Schmitz 1 sibling, 0 replies; 11+ messages in thread From: Michael Schmitz @ 2021-06-28 20:52 UTC (permalink / raw) To: Geert Uytterhoeven; +Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Geert, On 28/06/21 7:25 pm, Geert Uytterhoeven wrote: > On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: >> m68k (other than Coldfire) uses syscall_trace for both trace entry >> and trace exit. Seccomp support requires separate entry points for >> trace entry and exit which are already provided for Coldfire. >> >> Replace syscall_trace by syscall_trace_enter and syscall_trace_leave >> in preparation for seccomp support. Check return code of >> syscall_trace_enter(), and skip syscall if -1. Return code will be >> left at what had been set by ptrace or seccomp (in regs->d0). >> >> No regression seen in testing with strace on ARAnyM. >> >> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> > Thanks for your patch! > >> arch/m68k/kernel/entry.S | 8 +++++--- > We need similar changes to arch/m68k/68000/entry.S and > arch/m68k/coldfire/entry.S > Ouch - I misparsed the #endif right above ENTRY(syscall) and thought the syscall trace entry code was common for all. Will fix ... but that will have to be tested by someone else! Cheers, Michael >> arch/m68k/kernel/ptrace.c | 17 ----------------- >> 2 files changed, 5 insertions(+), 20 deletions(-) > Gr{oetje,eeting}s, > > Geert > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-28 7:25 ` Geert Uytterhoeven 2021-06-28 20:52 ` Michael Schmitz @ 2021-06-28 22:16 ` Michael Schmitz 2021-06-29 7:31 ` Geert Uytterhoeven 1 sibling, 1 reply; 11+ messages in thread From: Michael Schmitz @ 2021-06-28 22:16 UTC (permalink / raw) To: Geert Uytterhoeven; +Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Geert, On 28/06/21 7:25 pm, Geert Uytterhoeven wrote: > On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: >> m68k (other than Coldfire) uses syscall_trace for both trace entry >> and trace exit. Seccomp support requires separate entry points for >> trace entry and exit which are already provided for Coldfire. >> >> Replace syscall_trace by syscall_trace_enter and syscall_trace_leave >> in preparation for seccomp support. Check return code of >> syscall_trace_enter(), and skip syscall if -1. Return code will be >> left at what had been set by ptrace or seccomp (in regs->d0). >> >> No regression seen in testing with strace on ARAnyM. >> >> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> > b > Thanks for your patch! > >> arch/m68k/kernel/entry.S | 8 +++++--- > We need similar changes to arch/m68k/68000/entry.S and > arch/m68k/coldfire/entry.S Do you have a current defconfig for 68000? I've test compiled my patch with two coldfire defconfigs, but could not find one for m68kclassic ... Cheers, Michael > >> arch/m68k/kernel/ptrace.c | 17 ----------------- >> 2 files changed, 5 insertions(+), 20 deletions(-) > Gr{oetje,eeting}s, > > Geert > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-28 22:16 ` Michael Schmitz @ 2021-06-29 7:31 ` Geert Uytterhoeven 2021-06-29 7:35 ` Greg Ungerer 0 siblings, 1 reply; 11+ messages in thread From: Geert Uytterhoeven @ 2021-06-29 7:31 UTC (permalink / raw) To: Michael Schmitz, Greg Ungerer Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Michael, On Tue, Jun 29, 2021 at 12:16 AM Michael Schmitz <schmitzmic@gmail.com> wrote: > On 28/06/21 7:25 pm, Geert Uytterhoeven wrote: > > On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: > >> m68k (other than Coldfire) uses syscall_trace for both trace entry > >> and trace exit. Seccomp support requires separate entry points for > >> trace entry and exit which are already provided for Coldfire. > >> > >> Replace syscall_trace by syscall_trace_enter and syscall_trace_leave > >> in preparation for seccomp support. Check return code of > >> syscall_trace_enter(), and skip syscall if -1. Return code will be > >> left at what had been set by ptrace or seccomp (in regs->d0). > >> > >> No regression seen in testing with strace on ARAnyM. > >> > >> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> > > b > > Thanks for your patch! > > > >> arch/m68k/kernel/entry.S | 8 +++++--- > > We need similar changes to arch/m68k/68000/entry.S and > > arch/m68k/coldfire/entry.S > > Do you have a current defconfig for 68000? I've test compiled my patch > with two coldfire defconfigs, but could not find one for m68kclassic ... Unfortunately not. Greg? Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-29 7:31 ` Geert Uytterhoeven @ 2021-06-29 7:35 ` Greg Ungerer 2021-06-29 7:46 ` Michael Schmitz 0 siblings, 1 reply; 11+ messages in thread From: Greg Ungerer @ 2021-06-29 7:35 UTC (permalink / raw) To: Geert Uytterhoeven, Michael Schmitz Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Michael, Geert, On 29/6/21 5:31 pm, Geert Uytterhoeven wrote: > Hi Michael, > > On Tue, Jun 29, 2021 at 12:16 AM Michael Schmitz <schmitzmic@gmail.com> wrote: >> On 28/06/21 7:25 pm, Geert Uytterhoeven wrote: >>> On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: >>>> m68k (other than Coldfire) uses syscall_trace for both trace entry >>>> and trace exit. Seccomp support requires separate entry points for >>>> trace entry and exit which are already provided for Coldfire. >>>> >>>> Replace syscall_trace by syscall_trace_enter and syscall_trace_leave >>>> in preparation for seccomp support. Check return code of >>>> syscall_trace_enter(), and skip syscall if -1. Return code will be >>>> left at what had been set by ptrace or seccomp (in regs->d0). >>>> >>>> No regression seen in testing with strace on ARAnyM. >>>> >>>> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> >>> b >>> Thanks for your patch! >>> >>>> arch/m68k/kernel/entry.S | 8 +++++--- >>> We need similar changes to arch/m68k/68000/entry.S and >>> arch/m68k/coldfire/entry.S >> >> Do you have a current defconfig for 68000? I've test compiled my patch >> with two coldfire defconfigs, but could not find one for m68kclassic ... > > Unfortunately not. > Greg? Sorry, no, I don't have one. Whenever I need to compile for a 68000 target I manually configure one ("make menuconfig" and friends). Would be nice to have one in mainline ;-) Regards Greg ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave for m68k 2021-06-29 7:35 ` Greg Ungerer @ 2021-06-29 7:46 ` Michael Schmitz 0 siblings, 0 replies; 11+ messages in thread From: Michael Schmitz @ 2021-06-29 7:46 UTC (permalink / raw) To: Greg Ungerer, Geert Uytterhoeven Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Geert, Greg, no matter - I managed to at least get entry.S to 'compile' for 68000, even though the final link failed. I'm reasonably certain that 'ret_from_exception' is the correct branch target if a syscall is to be skipped, but I'd like to have that double checked? Cheers, Michael Am 29.06.2021 um 19:35 schrieb Greg Ungerer: > Hi Michael, Geert, > > On 29/6/21 5:31 pm, Geert Uytterhoeven wrote: >> Hi Michael, >> >> On Tue, Jun 29, 2021 at 12:16 AM Michael Schmitz >> <schmitzmic@gmail.com> wrote: >>> On 28/06/21 7:25 pm, Geert Uytterhoeven wrote: >>>> On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz >>>> <schmitzmic@gmail.com> wrote: >>>>> m68k (other than Coldfire) uses syscall_trace for both trace entry >>>>> and trace exit. Seccomp support requires separate entry points for >>>>> trace entry and exit which are already provided for Coldfire. >>>>> >>>>> Replace syscall_trace by syscall_trace_enter and syscall_trace_leave >>>>> in preparation for seccomp support. Check return code of >>>>> syscall_trace_enter(), and skip syscall if -1. Return code will be >>>>> left at what had been set by ptrace or seccomp (in regs->d0). >>>>> >>>>> No regression seen in testing with strace on ARAnyM. >>>>> >>>>> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> >>>> b >>>> Thanks for your patch! >>>> >>>>> arch/m68k/kernel/entry.S | 8 +++++--- >>>> We need similar changes to arch/m68k/68000/entry.S and >>>> arch/m68k/coldfire/entry.S >>> >>> Do you have a current defconfig for 68000? I've test compiled my patch >>> with two coldfire defconfigs, but could not find one for m68kclassic ... >> >> Unfortunately not. >> Greg? > > Sorry, no, I don't have one. > Whenever I need to compile for a 68000 target I manually configure one > ("make menuconfig" and friends). > > Would be nice to have one in mainline ;-) > > Regards > Greg > ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v6 2/2] m68k: add kernel seccomp support 2021-06-24 0:45 [PATCH v6 0/2] Add kernel seccomp support for m68k Michael Schmitz 2021-06-24 0:45 ` [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave " Michael Schmitz @ 2021-06-24 0:46 ` Michael Schmitz 2021-06-28 7:23 ` Geert Uytterhoeven 1 sibling, 1 reply; 11+ messages in thread From: Michael Schmitz @ 2021-06-24 0:46 UTC (permalink / raw) To: linux-m68k, geert; +Cc: glaubitz, schwab, Michael Schmitz Add secure_computing() call to syscall_trace_enter to actually filter system calls. Add necessary arch Kconfig options, define TIF_SECCOMP trace flag and provide basic seccomp filter support in asm/syscall.h syscall_get_nr currently uses the syscall nr stored in orig_d0 because we change d0 to a default return code before starting a syscall trace. This may be inconsistent with syscall_rollback copying orig_d0 to d0 (which we never check upon return from trace). We use d0 for the return code from syscall_trace_enter in entry.S currently, and could perhaps expand that to store a new syscall number returned by the seccomp filter before executing the syscall. This clearly needs some discussion. Compiles (for Atari) and boots on ARAnyM, otherwise untested. Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> -- Changes from v5: Geert Uytterhoeven: - correct wrong offset for d1-d5 register copy - update Documentation/features/seccomp/seccomp-filter/arch-support.txt --- .../seccomp/seccomp-filter/arch-support.txt | 2 +- arch/m68k/Kconfig | 2 ++ arch/m68k/include/asm/seccomp.h | 11 ++++++++ arch/m68k/include/asm/syscall.h | 33 ++++++++++++++++++++++ arch/m68k/include/asm/thread_info.h | 2 ++ arch/m68k/kernel/ptrace.c | 5 ++++ 6 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 arch/m68k/include/asm/seccomp.h diff --git a/Documentation/features/seccomp/seccomp-filter/arch-support.txt b/Documentation/features/seccomp/seccomp-filter/arch-support.txt index 26eec58..be71f20 100644 --- a/Documentation/features/seccomp/seccomp-filter/arch-support.txt +++ b/Documentation/features/seccomp/seccomp-filter/arch-support.txt @@ -14,7 +14,7 @@ | h8300: | TODO | | hexagon: | TODO | | ia64: | TODO | - | m68k: | TODO | + | m68k: | ok | | microblaze: | TODO | | mips: | ok | | nds32: | TODO | diff --git a/arch/m68k/Kconfig b/arch/m68k/Kconfig index 372e4e6..deaea88 100644 --- a/arch/m68k/Kconfig +++ b/arch/m68k/Kconfig @@ -19,6 +19,8 @@ config M68K select GENERIC_STRNCPY_FROM_USER if MMU select GENERIC_STRNLEN_USER if MMU select HAVE_AOUT if MMU + select HAVE_ARCH_SECCOMP + select HAVE_ARCH_SECCOMP_FILTER select HAVE_ASM_MODVERSIONS select HAVE_DEBUG_BUGVERBOSE select HAVE_FUTEX_CMPXCHG if MMU && FUTEX diff --git a/arch/m68k/include/asm/seccomp.h b/arch/m68k/include/asm/seccomp.h new file mode 100644 index 0000000..de8a94e --- /dev/null +++ b/arch/m68k/include/asm/seccomp.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef _ASM_SECCOMP_H +#define _ASM_SECCOMP_H + +#include <asm-generic/seccomp.h> + +#define SECCOMP_ARCH_NATIVE AUDIT_ARCH_M68K +#define SECCOMP_ARCH_NATIVE_NR NR_syscalls +#define SECCOMP_ARCH_NATIVE_NAME "m68k" + +#endif /* _ASM_SECCOMP_H */ diff --git a/arch/m68k/include/asm/syscall.h b/arch/m68k/include/asm/syscall.h index 465ac03..ab8ab94e 100644 --- a/arch/m68k/include/asm/syscall.h +++ b/arch/m68k/include/asm/syscall.h @@ -4,6 +4,39 @@ #include <uapi/linux/audit.h> +#include <asm/unistd.h> + +extern const unsigned long sys_call_table[]; + +static inline int syscall_get_nr(struct task_struct *task, + struct pt_regs *regs) +{ + return regs->orig_d0; +} + +static inline void syscall_rollback(struct task_struct *task, + struct pt_regs *regs) +{ + regs->d0 = regs->orig_d0; +} + +static inline void syscall_set_return_value(struct task_struct *task, + struct pt_regs *regs, + int error, long val) +{ + regs->d0 = (long) error ? error : val; +} + +static inline void syscall_get_arguments(struct task_struct *task, + struct pt_regs *regs, + unsigned long *args) +{ + args[0] = regs->orig_d0; + args++; + + memcpy(args, ®s->d1, 5 * sizeof(args[0])); +} + static inline int syscall_get_arch(struct task_struct *task) { return AUDIT_ARCH_M68K; diff --git a/arch/m68k/include/asm/thread_info.h b/arch/m68k/include/asm/thread_info.h index 15a7570..d813fed 100644 --- a/arch/m68k/include/asm/thread_info.h +++ b/arch/m68k/include/asm/thread_info.h @@ -64,6 +64,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NOTIFY_RESUME 5 /* callback before returning to user */ #define TIF_SIGPENDING 6 /* signal pending */ #define TIF_NEED_RESCHED 7 /* rescheduling necessary */ +#define TIF_SECCOMP 13 /* seccomp syscall filtering active */ #define TIF_DELAYED_TRACE 14 /* single step a syscall */ #define TIF_SYSCALL_TRACE 15 /* syscall trace active */ #define TIF_MEMDIE 16 /* is terminating due to OOM killer */ @@ -72,6 +73,7 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_DELAYED_TRACE (1 << TIF_DELAYED_TRACE) #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) #define _TIF_MEMDIE (1 << TIF_MEMDIE) diff --git a/arch/m68k/kernel/ptrace.c b/arch/m68k/kernel/ptrace.c index 74d58a8..bc2490c 100644 --- a/arch/m68k/kernel/ptrace.c +++ b/arch/m68k/kernel/ptrace.c @@ -19,6 +19,7 @@ #include <linux/ptrace.h> #include <linux/user.h> #include <linux/signal.h> +#include <linux/seccomp.h> #include <linux/tracehook.h> #include <linux/uaccess.h> @@ -277,6 +278,10 @@ asmlinkage int syscall_trace_enter(void) if (test_thread_flag(TIF_SYSCALL_TRACE)) ret = tracehook_report_syscall_entry(task_pt_regs(current)); + + if (secure_computing() == -1) + return -1; + return ret; } -- 2.7.4 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v6 2/2] m68k: add kernel seccomp support 2021-06-24 0:46 ` [PATCH v6 2/2] m68k: add kernel seccomp support Michael Schmitz @ 2021-06-28 7:23 ` Geert Uytterhoeven 2021-06-28 20:17 ` Michael Schmitz 0 siblings, 1 reply; 11+ messages in thread From: Geert Uytterhoeven @ 2021-06-28 7:23 UTC (permalink / raw) To: Michael Schmitz; +Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Michael, On Thu, Jun 24, 2021 at 2:46 AM Michael Schmitz <schmitzmic@gmail.com> wrote: > Add secure_computing() call to syscall_trace_enter to actually > filter system calls. > > Add necessary arch Kconfig options, define TIF_SECCOMP trace > flag and provide basic seccomp filter support in asm/syscall.h > > syscall_get_nr currently uses the syscall nr stored in orig_d0 > because we change d0 to a default return code before starting a > syscall trace. This may be inconsistent with syscall_rollback > copying orig_d0 to d0 (which we never check upon return from > trace). We use d0 for the return code from syscall_trace_enter > in entry.S currently, and could perhaps expand that to store > a new syscall number returned by the seccomp filter before > executing the syscall. This clearly needs some discussion. > > Compiles (for Atari) and boots on ARAnyM, otherwise untested. > > Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> > --- a/arch/m68k/include/asm/syscall.h > +++ b/arch/m68k/include/asm/syscall.h > @@ -4,6 +4,39 @@ > > #include <uapi/linux/audit.h> > > +#include <asm/unistd.h> > + > +extern const unsigned long sys_call_table[]; > + > +static inline int syscall_get_nr(struct task_struct *task, > + struct pt_regs *regs) > +{ > + return regs->orig_d0; > +} > + > +static inline void syscall_rollback(struct task_struct *task, > + struct pt_regs *regs) > +{ > + regs->d0 = regs->orig_d0; > +} > + > +static inline void syscall_set_return_value(struct task_struct *task, > + struct pt_regs *regs, > + int error, long val) > +{ > + regs->d0 = (long) error ? error : val; > +} > + > +static inline void syscall_get_arguments(struct task_struct *task, > + struct pt_regs *regs, > + unsigned long *args) > +{ > + args[0] = regs->orig_d0; > + args++; > + > + memcpy(args, ®s->d1, 5 * sizeof(args[0])); > +} > + > static inline int syscall_get_arch(struct task_struct *task) > { > return AUDIT_ARCH_M68K; Comparing this to what I had before, I noticed syscall_get_return_value() is missing. Upon closer look, we don't need it (yet), as we don't select any of GENERIC_ENTRY, HAVE_ARCH_TRACEHOOK, or HAVE_SYSCALL_TRACEPOINTS, but why not add it while we're at it? Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v6 2/2] m68k: add kernel seccomp support 2021-06-28 7:23 ` Geert Uytterhoeven @ 2021-06-28 20:17 ` Michael Schmitz 0 siblings, 0 replies; 11+ messages in thread From: Michael Schmitz @ 2021-06-28 20:17 UTC (permalink / raw) To: Geert Uytterhoeven; +Cc: Linux/m68k, John Paul Adrian Glaubitz, Andreas Schwab Hi Geert, On 28/06/21 7:23 pm, Geert Uytterhoeven wrote: > >> --- a/arch/m68k/include/asm/syscall.h >> +++ b/arch/m68k/include/asm/syscall.h >> @@ -4,6 +4,39 @@ >> >> #include <uapi/linux/audit.h> >> >> +#include <asm/unistd.h> >> + >> +extern const unsigned long sys_call_table[]; >> + >> +static inline int syscall_get_nr(struct task_struct *task, >> + struct pt_regs *regs) >> +{ >> + return regs->orig_d0; >> +} >> + >> +static inline void syscall_rollback(struct task_struct *task, >> + struct pt_regs *regs) >> +{ >> + regs->d0 = regs->orig_d0; >> +} >> + >> +static inline void syscall_set_return_value(struct task_struct *task, >> + struct pt_regs *regs, >> + int error, long val) >> +{ >> + regs->d0 = (long) error ? error : val; >> +} >> + >> +static inline void syscall_get_arguments(struct task_struct *task, >> + struct pt_regs *regs, >> + unsigned long *args) >> +{ >> + args[0] = regs->orig_d0; >> + args++; >> + >> + memcpy(args, ®s->d1, 5 * sizeof(args[0])); >> +} >> + >> static inline int syscall_get_arch(struct task_struct *task) >> { >> return AUDIT_ARCH_M68K; > Comparing this to what I had before, I noticed syscall_get_return_value() > is missing. Yes - I only added the bare minimum I needed to compile. > Upon closer look, we don't need it (yet), as we don't select any > of GENERIC_ENTRY, HAVE_ARCH_TRACEHOOK, or HAVE_SYSCALL_TRACEPOINTS, > but why not add it while we're at it? I can do that - the trouble with this entire series is that I can't meaningfully test anything. But syscall_get_return_value() isn't that difficult. Cheers, Michael > > Gr{oetje,eeting}s, > > Geert > ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-06-29 7:46 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-24 0:45 [PATCH v6 0/2] Add kernel seccomp support for m68k Michael Schmitz 2021-06-24 0:45 ` [PATCH v6 1/2] m68k/kernel - wire up syscall_trace_enter/leave " Michael Schmitz 2021-06-28 7:25 ` Geert Uytterhoeven 2021-06-28 20:52 ` Michael Schmitz 2021-06-28 22:16 ` Michael Schmitz 2021-06-29 7:31 ` Geert Uytterhoeven 2021-06-29 7:35 ` Greg Ungerer 2021-06-29 7:46 ` Michael Schmitz 2021-06-24 0:46 ` [PATCH v6 2/2] m68k: add kernel seccomp support Michael Schmitz 2021-06-28 7:23 ` Geert Uytterhoeven 2021-06-28 20:17 ` Michael Schmitz
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.