From: Kees Cook <keescook@chromium.org> To: James Morris <james.l.morris@oracle.com> Cc: linux-kernel@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, Tyler Hicks <tyhicks@canonical.com>, linux-security-module@vger.kernel.org Subject: [GIT PULL] seccomp updates for next Date: Tue, 15 Aug 2017 15:03:19 -0700 [thread overview] Message-ID: <20170815220319.GA63342@beast> (raw) Hi James, Please pull these seccomp changes for next. Thanks! -Kees The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9: Linux 4.13-rc2 (2017-07-23 16:15:17 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90: selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700) ---------------------------------------------------------------- Major additions: - sysctl and seccomp operation to discover available actions. (tyhicks) - new per-filter configurable logging infrastructure and sysctl. (tyhicks) - SECCOMP_RET_LOG to log allowed syscalls. (tyhicks) - SECCOMP_RET_KILL_PROCESS as the new strictest possible action. - self-tests for new behaviors. ---------------------------------------------------------------- Kees Cook (8): selftests/seccomp: Add tests for basic ptrace actions selftests/seccomp: Add simple seccomp overhead benchmark selftests/seccomp: Refactor RET_ERRNO tests seccomp: Provide matching filter for introspection seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD seccomp: Introduce SECCOMP_RET_KILL_PROCESS seccomp: Implement SECCOMP_RET_KILL_PROCESS action selftests/seccomp: Test thread vs process killing Tyler Hicks (6): seccomp: Sysctl to display available actions seccomp: Operation for checking if an action is available seccomp: Sysctl to configure actions that are allowed to be logged seccomp: Selftest for detection of filter flag support seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW seccomp: Action to log before allowing Documentation/networking/filter.txt | 2 +- Documentation/sysctl/kernel.txt | 1 + Documentation/userspace-api/seccomp_filter.rst | 52 +- include/linux/audit.h | 6 +- include/linux/seccomp.h | 3 +- include/uapi/linux/seccomp.h | 23 +- kernel/seccomp.c | 321 ++++++++++- samples/seccomp/bpf-direct.c | 4 +- samples/seccomp/bpf-helper.h | 2 +- tools/testing/selftests/seccomp/Makefile | 18 +- .../testing/selftests/seccomp/seccomp_benchmark.c | 99 ++++ tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++++---- 12 files changed, 1009 insertions(+), 132 deletions(-) create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c -- Kees Cook Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook) To: linux-security-module@vger.kernel.org Subject: [GIT PULL] seccomp updates for next Date: Tue, 15 Aug 2017 15:03:19 -0700 [thread overview] Message-ID: <20170815220319.GA63342@beast> (raw) Hi James, Please pull these seccomp changes for next. Thanks! -Kees The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9: Linux 4.13-rc2 (2017-07-23 16:15:17 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90: selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700) ---------------------------------------------------------------- Major additions: - sysctl and seccomp operation to discover available actions. (tyhicks) - new per-filter configurable logging infrastructure and sysctl. (tyhicks) - SECCOMP_RET_LOG to log allowed syscalls. (tyhicks) - SECCOMP_RET_KILL_PROCESS as the new strictest possible action. - self-tests for new behaviors. ---------------------------------------------------------------- Kees Cook (8): selftests/seccomp: Add tests for basic ptrace actions selftests/seccomp: Add simple seccomp overhead benchmark selftests/seccomp: Refactor RET_ERRNO tests seccomp: Provide matching filter for introspection seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD seccomp: Introduce SECCOMP_RET_KILL_PROCESS seccomp: Implement SECCOMP_RET_KILL_PROCESS action selftests/seccomp: Test thread vs process killing Tyler Hicks (6): seccomp: Sysctl to display available actions seccomp: Operation for checking if an action is available seccomp: Sysctl to configure actions that are allowed to be logged seccomp: Selftest for detection of filter flag support seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW seccomp: Action to log before allowing Documentation/networking/filter.txt | 2 +- Documentation/sysctl/kernel.txt | 1 + Documentation/userspace-api/seccomp_filter.rst | 52 +- include/linux/audit.h | 6 +- include/linux/seccomp.h | 3 +- include/uapi/linux/seccomp.h | 23 +- kernel/seccomp.c | 321 ++++++++++- samples/seccomp/bpf-direct.c | 4 +- samples/seccomp/bpf-helper.h | 2 +- tools/testing/selftests/seccomp/Makefile | 18 +- .../testing/selftests/seccomp/seccomp_benchmark.c | 99 ++++ tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++++---- 12 files changed, 1009 insertions(+), 132 deletions(-) create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-08-15 22:03 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-08-15 22:03 Kees Cook [this message] 2017-08-15 22:03 ` [GIT PULL] seccomp updates for next Kees Cook 2017-08-16 2:33 ` James Morris 2017-08-16 2:33 ` James Morris -- strict thread matches above, loose matches on Subject: below -- 2018-12-12 23:16 Kees Cook 2018-12-13 0:08 ` James Morris 2017-11-29 0:38 Kees Cook 2017-11-29 0:38 ` Kees Cook 2017-11-29 1:55 ` James Morris 2017-11-29 1:55 ` James Morris 2017-06-26 17:02 Kees Cook 2017-06-26 17:02 ` Kees Cook 2017-06-27 3:27 ` James Morris 2017-06-27 3:27 ` James Morris
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170815220319.GA63342@beast \ --to=keescook@chromium.org \ --cc=james.l.morris@oracle.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=tyhicks@canonical.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.