* [RESEND PATCH v4 0/2] arm64: Add seccomp support
@ 2014-07-04 7:31 ` AKASHI Takahiro
0 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: wad, catalin.marinas, will.deacon
Cc: dsaxena, linux-arm-kernel, linaro-kernel, linux-kernel, AKASHI Takahiro
(I don't think that discussions below about ptrace() have impact on
this patchset.
http://lists.infradead.org/pipermail/linux-arm-kernel/2014-July/268923.html
)
(Please apply this patch after my audit patch in order to avoid some
conflict on arm64/Kconfig.)
This patch enables secure computing (system call filtering) on arm64.
System calls can be allowed or denied by loaded bpf-style rules.
Architecture specific part is to run secure_computing() on syscall entry
and check the result. See [2/2]
This code is tested on ARMv8 fast model using libseccomp v2.1.1 with
modifications for arm64 and verified by its "live" tests, 20, 21 and 24.
Changes v3 -> v4:
* removed the following patch and moved it to "arm64: prerequisites for
audit and ftrace" patchset since it is required for audit and ftrace in
case of !COMPAT, too.
"arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"
Changes v2 -> v3:
* removed unnecessary 'type cast' operations [2/3]
* check for a return value (-1) of secure_computing() explicitly [2/3]
* aligned with the patch, "arm64: split syscall_trace() into separate
functions for enter/exit" [2/3]
* changed default of CONFIG_SECCOMP to n [2/3]
Changes v1 -> v2:
* added generic seccomp.h for arm64 to utilize it [1,2/3]
* changed syscall_trace() to return more meaningful value (-EPERM)
on seccomp failure case [2/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
for all syscall features" v2 [2/3]
* removed is_compat_task() definition from compat.h [3/3]
AKASHI Takahiro (2):
asm-generic: Add generic seccomp.h for secure computing mode 1
arm64: Add seccomp support
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 4 ++++
arch/arm64/kernel/ptrace.c | 6 ++++++
include/asm-generic/seccomp.h | 28 ++++++++++++++++++++++++++++
6 files changed, 80 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
create mode 100644 include/asm-generic/seccomp.h
--
1.7.9.5
^ permalink raw reply [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 0/2] arm64: Add seccomp support
@ 2014-07-04 7:31 ` AKASHI Takahiro
0 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: linux-arm-kernel
(I don't think that discussions below about ptrace() have impact on
this patchset.
http://lists.infradead.org/pipermail/linux-arm-kernel/2014-July/268923.html
)
(Please apply this patch after my audit patch in order to avoid some
conflict on arm64/Kconfig.)
This patch enables secure computing (system call filtering) on arm64.
System calls can be allowed or denied by loaded bpf-style rules.
Architecture specific part is to run secure_computing() on syscall entry
and check the result. See [2/2]
This code is tested on ARMv8 fast model using libseccomp v2.1.1 with
modifications for arm64 and verified by its "live" tests, 20, 21 and 24.
Changes v3 -> v4:
* removed the following patch and moved it to "arm64: prerequisites for
audit and ftrace" patchset since it is required for audit and ftrace in
case of !COMPAT, too.
"arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"
Changes v2 -> v3:
* removed unnecessary 'type cast' operations [2/3]
* check for a return value (-1) of secure_computing() explicitly [2/3]
* aligned with the patch, "arm64: split syscall_trace() into separate
functions for enter/exit" [2/3]
* changed default of CONFIG_SECCOMP to n [2/3]
Changes v1 -> v2:
* added generic seccomp.h for arm64 to utilize it [1,2/3]
* changed syscall_trace() to return more meaningful value (-EPERM)
on seccomp failure case [2/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
for all syscall features" v2 [2/3]
* removed is_compat_task() definition from compat.h [3/3]
AKASHI Takahiro (2):
asm-generic: Add generic seccomp.h for secure computing mode 1
arm64: Add seccomp support
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 4 ++++
arch/arm64/kernel/ptrace.c | 6 ++++++
include/asm-generic/seccomp.h | 28 ++++++++++++++++++++++++++++
6 files changed, 80 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
create mode 100644 include/asm-generic/seccomp.h
--
1.7.9.5
^ permalink raw reply [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 1/2] asm-generic: Add generic seccomp.h for secure computing mode 1
2014-07-04 7:31 ` AKASHI Takahiro
@ 2014-07-04 7:31 ` AKASHI Takahiro
-1 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: wad, catalin.marinas, will.deacon
Cc: dsaxena, linux-arm-kernel, linaro-kernel, linux-kernel, AKASHI Takahiro
Those values (__NR_seccomp_*) are used solely in secure_computing()
to identify mode 1 system calls. If compat system calls have different
syscall numbers, asm/seccomp.h may override them.
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/asm-generic/seccomp.h | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 include/asm-generic/seccomp.h
diff --git a/include/asm-generic/seccomp.h b/include/asm-generic/seccomp.h
new file mode 100644
index 0000000..5e97022
--- /dev/null
+++ b/include/asm-generic/seccomp.h
@@ -0,0 +1,28 @@
+/*
+ * include/asm-generic/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_GENERIC_SECCOMP_H
+#define _ASM_GENERIC_SECCOMP_H
+
+#include <asm-generic/unistd.h>
+
+#if defined(CONFIG_COMPAT) && !defined(__NR_seccomp_read_32)
+#define __NR_seccomp_read_32 __NR_read
+#define __NR_seccomp_write_32 __NR_write
+#define __NR_seccomp_exit_32 __NR_exit
+#define __NR_seccomp_sigreturn_32 __NR_rt_sigreturn
+#endif /* CONFIG_COMPAT && ! already defined */
+
+#define __NR_seccomp_read __NR_read
+#define __NR_seccomp_write __NR_write
+#define __NR_seccomp_exit __NR_exit
+#define __NR_seccomp_sigreturn __NR_rt_sigreturn
+
+#endif /* _ASM_GENERIC_SECCOMP_H */
--
1.7.9.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 1/2] asm-generic: Add generic seccomp.h for secure computing mode 1
@ 2014-07-04 7:31 ` AKASHI Takahiro
0 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: linux-arm-kernel
Those values (__NR_seccomp_*) are used solely in secure_computing()
to identify mode 1 system calls. If compat system calls have different
syscall numbers, asm/seccomp.h may override them.
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/asm-generic/seccomp.h | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 include/asm-generic/seccomp.h
diff --git a/include/asm-generic/seccomp.h b/include/asm-generic/seccomp.h
new file mode 100644
index 0000000..5e97022
--- /dev/null
+++ b/include/asm-generic/seccomp.h
@@ -0,0 +1,28 @@
+/*
+ * include/asm-generic/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_GENERIC_SECCOMP_H
+#define _ASM_GENERIC_SECCOMP_H
+
+#include <asm-generic/unistd.h>
+
+#if defined(CONFIG_COMPAT) && !defined(__NR_seccomp_read_32)
+#define __NR_seccomp_read_32 __NR_read
+#define __NR_seccomp_write_32 __NR_write
+#define __NR_seccomp_exit_32 __NR_exit
+#define __NR_seccomp_sigreturn_32 __NR_rt_sigreturn
+#endif /* CONFIG_COMPAT && ! already defined */
+
+#define __NR_seccomp_read __NR_read
+#define __NR_seccomp_write __NR_write
+#define __NR_seccomp_exit __NR_exit
+#define __NR_seccomp_sigreturn __NR_rt_sigreturn
+
+#endif /* _ASM_GENERIC_SECCOMP_H */
--
1.7.9.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 2/2] arm64: Add seccomp support
2014-07-04 7:31 ` AKASHI Takahiro
@ 2014-07-04 7:31 ` AKASHI Takahiro
-1 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: wad, catalin.marinas, will.deacon
Cc: dsaxena, linux-arm-kernel, linaro-kernel, linux-kernel, AKASHI Takahiro
secure_computing() should always be called first in syscall_trace_enter().
If it returns non-zero, we should stop further handling. Then that system
call may eventually fail, be trapped or the process itself be killed
depending on loaded rules.
In this case, syscall_trace_enter() returns a dedicated value in order to
skip a normal syscall table lookup because a seccomp rule may have already
overridden errno.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 4 ++++
arch/arm64/kernel/ptrace.c | 6 ++++++
5 files changed, 52 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 3a18571..eeac003 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -32,6 +32,7 @@ config ARM64
select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_C_RECORDMCOUNT
select HAVE_DEBUG_BUGVERBOSE
@@ -259,6 +260,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
source "mm/Kconfig"
+config SECCOMP
+ bool "Enable seccomp to safely compute untrusted bytecode"
+ ---help---
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
config XEN_DOM0
def_bool y
depends on XEN
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32 __NR_compat_read
+#define __NR_seccomp_write_32 __NR_compat_write
+#define __NR_seccomp_exit_32 __NR_compat_exit
+#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index c980ab7..729c155 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
* Compat syscall numbers used by the AArch64 kernel.
*/
#define __NR_compat_restart_syscall 0
+#define __NR_compat_exit 1
+#define __NR_compat_read 3
+#define __NR_compat_write 4
#define __NR_compat_sigreturn 119
#define __NR_compat_rt_sigreturn 173
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 5141e79..fe55b4c 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -628,6 +628,10 @@ ENDPROC(el0_svc)
__sys_trace:
mov x0, sp
bl syscall_trace_enter
+#ifdef CONFIG_SECCOMP
+ cmp w0, #-EPERM // check seccomp result
+ b.eq ret_to_user // -EPERM means 'rejected'
+#endif
adr lr, __sys_trace_return // return address
uxtw scno, w0 // syscall number (possibly new)
mov x1, sp // pointer to regs
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 70526cf..baab5fc 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -21,12 +21,14 @@
#include <linux/audit.h>
#include <linux/compat.h>
+#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/smp.h>
#include <linux/ptrace.h>
#include <linux/user.h>
+#include <linux/seccomp.h>
#include <linux/security.h>
#include <linux/init.h>
#include <linux/signal.h>
@@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
asmlinkage int syscall_trace_enter(struct pt_regs *regs)
{
+ if (secure_computing(regs->syscallno) == -1)
+ /* seccomp failures shouldn't expose any additional code. */
+ return -EPERM;
+
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 2/2] arm64: Add seccomp support
@ 2014-07-04 7:31 ` AKASHI Takahiro
0 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-04 7:31 UTC (permalink / raw)
To: linux-arm-kernel
secure_computing() should always be called first in syscall_trace_enter().
If it returns non-zero, we should stop further handling. Then that system
call may eventually fail, be trapped or the process itself be killed
depending on loaded rules.
In this case, syscall_trace_enter() returns a dedicated value in order to
skip a normal syscall table lookup because a seccomp rule may have already
overridden errno.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
arch/arm64/Kconfig | 14 ++++++++++++++
arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
arch/arm64/include/asm/unistd.h | 3 +++
arch/arm64/kernel/entry.S | 4 ++++
arch/arm64/kernel/ptrace.c | 6 ++++++
5 files changed, 52 insertions(+)
create mode 100644 arch/arm64/include/asm/seccomp.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 3a18571..eeac003 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -32,6 +32,7 @@ config ARM64
select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_C_RECORDMCOUNT
select HAVE_DEBUG_BUGVERBOSE
@@ -259,6 +260,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
source "mm/Kconfig"
+config SECCOMP
+ bool "Enable seccomp to safely compute untrusted bytecode"
+ ---help---
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
config XEN_DOM0
def_bool y
depends on XEN
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32 __NR_compat_read
+#define __NR_seccomp_write_32 __NR_compat_write
+#define __NR_seccomp_exit_32 __NR_compat_exit
+#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index c980ab7..729c155 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
* Compat syscall numbers used by the AArch64 kernel.
*/
#define __NR_compat_restart_syscall 0
+#define __NR_compat_exit 1
+#define __NR_compat_read 3
+#define __NR_compat_write 4
#define __NR_compat_sigreturn 119
#define __NR_compat_rt_sigreturn 173
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 5141e79..fe55b4c 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -628,6 +628,10 @@ ENDPROC(el0_svc)
__sys_trace:
mov x0, sp
bl syscall_trace_enter
+#ifdef CONFIG_SECCOMP
+ cmp w0, #-EPERM // check seccomp result
+ b.eq ret_to_user // -EPERM means 'rejected'
+#endif
adr lr, __sys_trace_return // return address
uxtw scno, w0 // syscall number (possibly new)
mov x1, sp // pointer to regs
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 70526cf..baab5fc 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -21,12 +21,14 @@
#include <linux/audit.h>
#include <linux/compat.h>
+#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/smp.h>
#include <linux/ptrace.h>
#include <linux/user.h>
+#include <linux/seccomp.h>
#include <linux/security.h>
#include <linux/init.h>
#include <linux/signal.h>
@@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
asmlinkage int syscall_trace_enter(struct pt_regs *regs)
{
+ if (secure_computing(regs->syscallno) == -1)
+ /* seccomp failures shouldn't expose any additional code. */
+ return -EPERM;
+
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [RESEND PATCH v4 2/2] arm64: Add seccomp support
2014-07-04 7:31 ` AKASHI Takahiro
@ 2014-07-09 11:12 ` Will Deacon
-1 siblings, 0 replies; 12+ messages in thread
From: Will Deacon @ 2014-07-09 11:12 UTC (permalink / raw)
To: AKASHI Takahiro
Cc: wad, Catalin Marinas, dsaxena, linux-arm-kernel, linaro-kernel,
linux-kernel
Hi Akashi,
On Fri, Jul 04, 2014 at 08:31:55AM +0100, AKASHI Takahiro wrote:
> secure_computing() should always be called first in syscall_trace_enter().
> If it returns non-zero, we should stop further handling. Then that system
> call may eventually fail, be trapped or the process itself be killed
> depending on loaded rules.
> In this case, syscall_trace_enter() returns a dedicated value in order to
> skip a normal syscall table lookup because a seccomp rule may have already
> overridden errno.
[...]
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 70526cf..baab5fc 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -21,12 +21,14 @@
>
> #include <linux/audit.h>
> #include <linux/compat.h>
> +#include <linux/errno.h>
> #include <linux/kernel.h>
> #include <linux/sched.h>
> #include <linux/mm.h>
> #include <linux/smp.h>
> #include <linux/ptrace.h>
> #include <linux/user.h>
> +#include <linux/seccomp.h>
> #include <linux/security.h>
> #include <linux/init.h>
> #include <linux/signal.h>
> @@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>
> asmlinkage int syscall_trace_enter(struct pt_regs *regs)
> {
> + if (secure_computing(regs->syscallno) == -1)
> + /* seccomp failures shouldn't expose any additional code. */
> + return -EPERM;
> +
> if (test_thread_flag(TIF_SYSCALL_TRACE))
> tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
We return regs->syscallno immediately after this, so we have the same issue
that Kees identified for arch/arm/. Did you follow the discussion I had with
Andy?
Will
^ permalink raw reply [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 2/2] arm64: Add seccomp support
@ 2014-07-09 11:12 ` Will Deacon
0 siblings, 0 replies; 12+ messages in thread
From: Will Deacon @ 2014-07-09 11:12 UTC (permalink / raw)
To: linux-arm-kernel
Hi Akashi,
On Fri, Jul 04, 2014 at 08:31:55AM +0100, AKASHI Takahiro wrote:
> secure_computing() should always be called first in syscall_trace_enter().
> If it returns non-zero, we should stop further handling. Then that system
> call may eventually fail, be trapped or the process itself be killed
> depending on loaded rules.
> In this case, syscall_trace_enter() returns a dedicated value in order to
> skip a normal syscall table lookup because a seccomp rule may have already
> overridden errno.
[...]
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 70526cf..baab5fc 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -21,12 +21,14 @@
>
> #include <linux/audit.h>
> #include <linux/compat.h>
> +#include <linux/errno.h>
> #include <linux/kernel.h>
> #include <linux/sched.h>
> #include <linux/mm.h>
> #include <linux/smp.h>
> #include <linux/ptrace.h>
> #include <linux/user.h>
> +#include <linux/seccomp.h>
> #include <linux/security.h>
> #include <linux/init.h>
> #include <linux/signal.h>
> @@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>
> asmlinkage int syscall_trace_enter(struct pt_regs *regs)
> {
> + if (secure_computing(regs->syscallno) == -1)
> + /* seccomp failures shouldn't expose any additional code. */
> + return -EPERM;
> +
> if (test_thread_flag(TIF_SYSCALL_TRACE))
> tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
We return regs->syscallno immediately after this, so we have the same issue
that Kees identified for arch/arm/. Did you follow the discussion I had with
Andy?
Will
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RESEND PATCH v4 2/2] arm64: Add seccomp support
2014-07-09 11:12 ` Will Deacon
@ 2014-07-10 4:33 ` AKASHI Takahiro
-1 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-10 4:33 UTC (permalink / raw)
To: Will Deacon
Cc: wad, Catalin Marinas, dsaxena, linux-arm-kernel, linaro-kernel,
linux-kernel
Will,
> (1) Updating syscallno based on w8, but this ties us to the current ABI
> and could get messy if this register changes in the future.
So, is this the conclusion that I should follow?
-Takahiro AKASHI
On 07/09/2014 01:12 PM, Will Deacon wrote:
> Hi Akashi,
>
> On Fri, Jul 04, 2014 at 08:31:55AM +0100, AKASHI Takahiro wrote:
>> secure_computing() should always be called first in syscall_trace_enter().
>> If it returns non-zero, we should stop further handling. Then that system
>> call may eventually fail, be trapped or the process itself be killed
>> depending on loaded rules.
>> In this case, syscall_trace_enter() returns a dedicated value in order to
>> skip a normal syscall table lookup because a seccomp rule may have already
>> overridden errno.
>
> [...]
>
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 70526cf..baab5fc 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -21,12 +21,14 @@
>>
>> #include <linux/audit.h>
>> #include <linux/compat.h>
>> +#include <linux/errno.h>
>> #include <linux/kernel.h>
>> #include <linux/sched.h>
>> #include <linux/mm.h>
>> #include <linux/smp.h>
>> #include <linux/ptrace.h>
>> #include <linux/user.h>
>> +#include <linux/seccomp.h>
>> #include <linux/security.h>
>> #include <linux/init.h>
>> #include <linux/signal.h>
>> @@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>>
>> asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>> {
>> + if (secure_computing(regs->syscallno) == -1)
>> + /* seccomp failures shouldn't expose any additional code. */
>> + return -EPERM;
>> +
>> if (test_thread_flag(TIF_SYSCALL_TRACE))
>> tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
>
> We return regs->syscallno immediately after this, so we have the same issue
> that Kees identified for arch/arm/. Did you follow the discussion I had with
> Andy?
>
> Will
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 2/2] arm64: Add seccomp support
@ 2014-07-10 4:33 ` AKASHI Takahiro
0 siblings, 0 replies; 12+ messages in thread
From: AKASHI Takahiro @ 2014-07-10 4:33 UTC (permalink / raw)
To: linux-arm-kernel
Will,
> (1) Updating syscallno based on w8, but this ties us to the current ABI
> and could get messy if this register changes in the future.
So, is this the conclusion that I should follow?
-Takahiro AKASHI
On 07/09/2014 01:12 PM, Will Deacon wrote:
> Hi Akashi,
>
> On Fri, Jul 04, 2014 at 08:31:55AM +0100, AKASHI Takahiro wrote:
>> secure_computing() should always be called first in syscall_trace_enter().
>> If it returns non-zero, we should stop further handling. Then that system
>> call may eventually fail, be trapped or the process itself be killed
>> depending on loaded rules.
>> In this case, syscall_trace_enter() returns a dedicated value in order to
>> skip a normal syscall table lookup because a seccomp rule may have already
>> overridden errno.
>
> [...]
>
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 70526cf..baab5fc 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -21,12 +21,14 @@
>>
>> #include <linux/audit.h>
>> #include <linux/compat.h>
>> +#include <linux/errno.h>
>> #include <linux/kernel.h>
>> #include <linux/sched.h>
>> #include <linux/mm.h>
>> #include <linux/smp.h>
>> #include <linux/ptrace.h>
>> #include <linux/user.h>
>> +#include <linux/seccomp.h>
>> #include <linux/security.h>
>> #include <linux/init.h>
>> #include <linux/signal.h>
>> @@ -1109,6 +1111,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
>>
>> asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>> {
>> + if (secure_computing(regs->syscallno) == -1)
>> + /* seccomp failures shouldn't expose any additional code. */
>> + return -EPERM;
>> +
>> if (test_thread_flag(TIF_SYSCALL_TRACE))
>> tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
>
> We return regs->syscallno immediately after this, so we have the same issue
> that Kees identified for arch/arm/. Did you follow the discussion I had with
> Andy?
>
> Will
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RESEND PATCH v4 2/2] arm64: Add seccomp support
2014-07-10 4:33 ` AKASHI Takahiro
@ 2014-07-10 8:48 ` Will Deacon
-1 siblings, 0 replies; 12+ messages in thread
From: Will Deacon @ 2014-07-10 8:48 UTC (permalink / raw)
To: AKASHI Takahiro
Cc: wad, Catalin Marinas, dsaxena, linux-arm-kernel, linaro-kernel,
linux-kernel
On Thu, Jul 10, 2014 at 05:33:50AM +0100, AKASHI Takahiro wrote:
> Will,
>
> > (1) Updating syscallno based on w8, but this ties us to the current ABI
> > and could get messy if this register changes in the future.
>
> So, is this the conclusion that I should follow?
I think so, with the exception that if the tracer/debugger sets it to -1 to
abort the syscall, then we should restore the original value.
Will
^ permalink raw reply [flat|nested] 12+ messages in thread
* [RESEND PATCH v4 2/2] arm64: Add seccomp support
@ 2014-07-10 8:48 ` Will Deacon
0 siblings, 0 replies; 12+ messages in thread
From: Will Deacon @ 2014-07-10 8:48 UTC (permalink / raw)
To: linux-arm-kernel
On Thu, Jul 10, 2014 at 05:33:50AM +0100, AKASHI Takahiro wrote:
> Will,
>
> > (1) Updating syscallno based on w8, but this ties us to the current ABI
> > and could get messy if this register changes in the future.
>
> So, is this the conclusion that I should follow?
I think so, with the exception that if the tracer/debugger sets it to -1 to
abort the syscall, then we should restore the original value.
Will
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2014-07-10 8:48 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-04 7:31 [RESEND PATCH v4 0/2] arm64: Add seccomp support AKASHI Takahiro
2014-07-04 7:31 ` AKASHI Takahiro
2014-07-04 7:31 ` [RESEND PATCH v4 1/2] asm-generic: Add generic seccomp.h for secure computing mode 1 AKASHI Takahiro
2014-07-04 7:31 ` AKASHI Takahiro
2014-07-04 7:31 ` [RESEND PATCH v4 2/2] arm64: Add seccomp support AKASHI Takahiro
2014-07-04 7:31 ` AKASHI Takahiro
2014-07-09 11:12 ` Will Deacon
2014-07-09 11:12 ` Will Deacon
2014-07-10 4:33 ` AKASHI Takahiro
2014-07-10 4:33 ` AKASHI Takahiro
2014-07-10 8:48 ` Will Deacon
2014-07-10 8:48 ` Will Deacon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.