From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mta.outflux.net ([2001:19d0:2:6:c0de:0:736d:7471] helo=smtp.outflux.net) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fEdWP-0007Tr-IS for speck@linutronix.de; Fri, 04 May 2018 18:25:27 +0200 Received: from www.outflux.net (serenity.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.15.2/8.15.2/Debian-3) with ESMTP id w44GPHU1018995 for ; Fri, 4 May 2018 09:25:18 -0700 Date: Fri, 4 May 2018 09:25:17 -0700 From: Kees Cook Subject: [MODERATED] Re: [patch 4/6] SSB update 4 Message-ID: <20180504162517.GH6017@outflux.net> References: <20180504132317.028193533@linutronix.de> <20180504132335.834912266@linutronix.de> MIME-Version: 1.0 In-Reply-To: <20180504132335.834912266@linutronix.de> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Fri, May 04, 2018 at 03:23:21PM +0200, speck for Thomas Gleixner wrote: > Subject: [patch 4/6] seccomp: Add filter flag to opt-out of SSB mitigation > From: Kees Cook > > If a seccomp user is not interested in Speculative Store Bypass mitigation > by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when > adding filters. Ugh, I busted the bit values. Attached is a fix for this patch... --- From: Kees Cook Subject: [PATCH] seccomp: Actually use a bit field for flags This fixes the new flag to be the 3rd bit, not a value of 3. Oops. Signed-off-by: Kees Cook --- include/linux/seccomp.h | 5 +++-- include/uapi/linux/seccomp.h | 6 +++--- tools/testing/selftests/seccomp/seccomp_bpf.c | 17 ++++++++++++++--- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index c723a5c4e3ff..e5320f6c8654 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -4,8 +4,9 @@ #include -#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ - SECCOMP_FILTER_FLAG_LOG) +#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ + SECCOMP_FILTER_FLAG_LOG | \ + SECCOMP_FILTER_FLAG_SPEC_ALLOW) #ifdef CONFIG_SECCOMP diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index f88b9e6c32c6..9efc0e73d50b 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -17,9 +17,9 @@ #define SECCOMP_GET_ACTION_AVAIL 2 /* Valid flags for SECCOMP_SET_MODE_FILTER */ -#define SECCOMP_FILTER_FLAG_TSYNC 1 -#define SECCOMP_FILTER_FLAG_LOG 2 -#define SECCOMP_FILTER_FLAG_SPEC_ALLOW 3 +#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) +#define SECCOMP_FILTER_FLAG_LOG (1UL << 1) +#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) /* * All BPF programs must return a 32-bit value. diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index c281d961c935..e1473234968d 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -134,15 +134,15 @@ struct seccomp_data { #endif #ifndef SECCOMP_FILTER_FLAG_TSYNC -#define SECCOMP_FILTER_FLAG_TSYNC 1 +#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) #endif #ifndef SECCOMP_FILTER_FLAG_LOG -#define SECCOMP_FILTER_FLAG_LOG 2 +#define SECCOMP_FILTER_FLAG_LOG (1UL << 1) #endif #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW -#define SECCOMP_FILTER_FLAG_SPEC_ALLOW 3 +#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) #endif #ifndef PTRACE_SECCOMP_GET_METADATA @@ -2084,7 +2084,18 @@ TEST(detect_seccomp_filter_flags) /* Test detection of known-good filter flags */ for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { + int bits = 0; + + flag = flags[i]; + /* Make sure the flag is a single bit! */ + while (flag) { + if (flag & 0x1) + bits ++; + flag >>= 1; + } + ASSERT_EQ(1, bits); flag = flags[i]; + ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); ASSERT_NE(ENOSYS, errno) { TH_LOG("Kernel does not support seccomp syscall!"); -- 2.17.0 -- Kees Cook @outflux.net