From: Palmer Dabbelt <palmer@sifive.com>
To: luto@amacapital.net
Cc: keescook@chromium.org, linux-riscv@lists.infradead.org,
aou@eecs.berkeley.edu, paul@paul-moore.com, eparis@redhat.com,
wad@chromium.org, Wesley Terpstra <wesley@sifive.com>,
dhowells@redhat.com, tglx@linutronix.de, pombredanne@nexb.com,
Greg KH <gregkh@linuxfoundation.org>,
kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org,
linux-audit@redhat.com, david.abdurachmanov@gmail.com
Subject: Re: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Fri, 26 Oct 2018 23:07:20 -0700 (PDT) [thread overview]
Message-ID: <mhng-d334eb95-7c80-4070-a053-d04e9b564b74@palmer-mbp2014> (raw)
In-Reply-To: <CALCETrUSvugnh1JiLgn49c4_dw6F8bXiO52jdqiAKEn-CgzoXA@mail.gmail.com>
On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto@amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> > arch/riscv/Kconfig | 18 ++++++++++++++++++
>> > arch/riscv/include/asm/seccomp.h | 10 ++++++++++
>> > arch/riscv/include/asm/syscall.h | 6 ++++++
>> > arch/riscv/include/asm/thread_info.h | 1 +
>> > include/uapi/linux/audit.h | 1 +
>> > 5 files changed, 36 insertions(+)
>> > create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> > select GENERIC_STRNLEN_USER
>> > select GENERIC_SMP_IDLE_THREAD
>> > select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > + select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>> bool
>> help
>> An arch should select this symbol if it provides all of these things:
>> - syscall_get_arch()
>> - syscall_get_arguments()
>> - syscall_rollback()
>> - syscall_set_return_value()
>> - SIGSYS siginfo_t support
>> - secure_computing is called from a ptrace_event()-safe context
>> - secure_computing return value is checked and a return value of -1
>> results in the system call being skipped immediately.
>> - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's. Doing all the exit work in asm
> like you are is just setting you up for a world of pain.
OK, thanks for the suggestion. Next time we have to change it I'll try to take
a look and figure out something sane.
WARNING: multiple messages have this Message-ID (diff)
From: palmer@sifive.com (Palmer Dabbelt)
To: linux-riscv@lists.infradead.org
Subject: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Fri, 26 Oct 2018 23:07:20 -0700 (PDT) [thread overview]
Message-ID: <mhng-d334eb95-7c80-4070-a053-d04e9b564b74@palmer-mbp2014> (raw)
In-Reply-To: <CALCETrUSvugnh1JiLgn49c4_dw6F8bXiO52jdqiAKEn-CgzoXA@mail.gmail.com>
On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto at amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> > arch/riscv/Kconfig | 18 ++++++++++++++++++
>> > arch/riscv/include/asm/seccomp.h | 10 ++++++++++
>> > arch/riscv/include/asm/syscall.h | 6 ++++++
>> > arch/riscv/include/asm/thread_info.h | 1 +
>> > include/uapi/linux/audit.h | 1 +
>> > 5 files changed, 36 insertions(+)
>> > create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> > select GENERIC_STRNLEN_USER
>> > select GENERIC_SMP_IDLE_THREAD
>> > select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > + select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>> bool
>> help
>> An arch should select this symbol if it provides all of these things:
>> - syscall_get_arch()
>> - syscall_get_arguments()
>> - syscall_rollback()
>> - syscall_set_return_value()
>> - SIGSYS siginfo_t support
>> - secure_computing is called from a ptrace_event()-safe context
>> - secure_computing return value is checked and a return value of -1
>> results in the system call being skipped immediately.
>> - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's. Doing all the exit work in asm
> like you are is just setting you up for a world of pain.
OK, thanks for the suggestion. Next time we have to change it I'll try to take
a look and figure out something sane.
WARNING: multiple messages have this Message-ID (diff)
From: Palmer Dabbelt <palmer@sifive.com>
To: luto@amacapital.net
Cc: kstewart@linuxfoundation.org, aou@eecs.berkeley.edu,
wad@chromium.org, keescook@chromium.org,
Greg KH <gregkh@linuxfoundation.org>,
Wesley Terpstra <wesley@sifive.com>,
david.abdurachmanov@gmail.com, linux-kernel@vger.kernel.org,
eparis@redhat.com, dhowells@redhat.com, linux-audit@redhat.com,
pombredanne@nexb.com, linux-riscv@lists.infradead.org,
tglx@linutronix.de, paul@paul-moore.com
Subject: Re: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Fri, 26 Oct 2018 23:07:20 -0700 (PDT) [thread overview]
Message-ID: <mhng-d334eb95-7c80-4070-a053-d04e9b564b74@palmer-mbp2014> (raw)
Message-ID: <20181027060720.H8KcZxd6KCBPdo6A7yNNvc4juwBn6ByUon2Sw0e1hZk@z> (raw)
In-Reply-To: <CALCETrUSvugnh1JiLgn49c4_dw6F8bXiO52jdqiAKEn-CgzoXA@mail.gmail.com>
On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto@amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> > arch/riscv/Kconfig | 18 ++++++++++++++++++
>> > arch/riscv/include/asm/seccomp.h | 10 ++++++++++
>> > arch/riscv/include/asm/syscall.h | 6 ++++++
>> > arch/riscv/include/asm/thread_info.h | 1 +
>> > include/uapi/linux/audit.h | 1 +
>> > 5 files changed, 36 insertions(+)
>> > create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> > select GENERIC_STRNLEN_USER
>> > select GENERIC_SMP_IDLE_THREAD
>> > select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > + select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>> bool
>> help
>> An arch should select this symbol if it provides all of these things:
>> - syscall_get_arch()
>> - syscall_get_arguments()
>> - syscall_rollback()
>> - syscall_set_return_value()
>> - SIGSYS siginfo_t support
>> - secure_computing is called from a ptrace_event()-safe context
>> - secure_computing return value is checked and a return value of -1
>> results in the system call being skipped immediately.
>> - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's. Doing all the exit work in asm
> like you are is just setting you up for a world of pain.
OK, thanks for the suggestion. Next time we have to change it I'll try to take
a look and figure out something sane.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2018-10-27 6:07 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-23 1:20 [PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1 Palmer Dabbelt
2018-10-23 1:20 ` Palmer Dabbelt
2018-10-23 8:20 ` David Abdurachmanov
2018-10-23 8:20 ` David Abdurachmanov
2018-10-24 20:40 ` [PATCH 0/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` [PATCH 1/2] Move EM_RISCV into elf-em.h Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 21:26 ` Kees Cook
2018-10-24 21:26 ` Kees Cook
2018-10-24 21:26 ` Kees Cook
2018-10-25 3:04 ` Paul Walmsley
2018-10-25 3:04 ` Paul Walmsley
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 9:10 ` David Abdurachmanov
2018-10-27 9:10 ` David Abdurachmanov
2018-10-27 9:10 ` David Abdurachmanov
2018-10-24 20:40 ` [PATCH 2/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 20:40 ` Palmer Dabbelt
2018-10-24 21:42 ` Kees Cook
2018-10-24 21:42 ` Kees Cook
2018-10-24 21:42 ` Kees Cook
2018-10-24 21:42 ` Kees Cook
2018-10-24 22:34 ` Kees Cook
2018-10-24 22:34 ` Kees Cook
2018-10-24 22:34 ` Kees Cook
2018-10-25 21:02 ` Andy Lutomirski
2018-10-25 21:02 ` Andy Lutomirski
2018-10-25 21:02 ` Andy Lutomirski
2018-10-27 6:07 ` Palmer Dabbelt [this message]
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-25 18:31 ` David Abdurachmanov
2018-10-25 18:31 ` David Abdurachmanov
2018-10-25 18:31 ` David Abdurachmanov
2018-10-25 20:36 ` Paul Moore
2018-10-25 20:36 ` Paul Moore
2018-10-25 20:36 ` Paul Moore
2018-10-28 11:07 ` David Abdurachmanov
2018-10-28 11:07 ` David Abdurachmanov
2018-10-28 11:07 ` David Abdurachmanov
2018-10-29 20:27 ` Palmer Dabbelt
2018-10-29 20:27 ` Palmer Dabbelt
2018-10-29 20:27 ` Palmer Dabbelt
2018-11-02 13:32 ` David Abdurachmanov
2018-11-02 13:32 ` David Abdurachmanov
2018-11-02 13:32 ` David Abdurachmanov
2018-11-02 15:51 ` Kees Cook
2018-11-02 15:51 ` Kees Cook
2018-11-02 15:51 ` Kees Cook
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 7:55 ` Christoph Hellwig
2018-10-27 7:55 ` Christoph Hellwig
2018-10-27 7:55 ` Christoph Hellwig
2018-10-27 7:55 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=mhng-d334eb95-7c80-4070-a053-d04e9b564b74@palmer-mbp2014 \
--to=palmer@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=david.abdurachmanov@gmail.com \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luto@amacapital.net \
--cc=paul@paul-moore.com \
--cc=pombredanne@nexb.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=wesley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.