* [PATCH 1/3] xtensa: expose syscall through user_pt_regs
2020-07-19 2:16 [PATCH 0/3] xtensa: add seccomp support Max Filippov
@ 2020-07-19 2:16 ` Max Filippov
2020-07-19 2:16 ` [PATCH 2/3] xtensa: add seccomp support Max Filippov
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Max Filippov @ 2020-07-19 2:16 UTC (permalink / raw)
To: linux-xtensa
Cc: Chris Zankel, linux-kernel, bpf, netdev, linux-kselftest, Max Filippov
Use one of the reserved slots in struct user_pt_regs to return syscall
number in the GPR regset. Update syscall number from the GPR regset only
when it's non-zero.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
arch/xtensa/include/uapi/asm/ptrace.h | 3 ++-
arch/xtensa/kernel/ptrace.c | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/xtensa/include/uapi/asm/ptrace.h b/arch/xtensa/include/uapi/asm/ptrace.h
index 2ec0f9100a06..50db3e0a6341 100644
--- a/arch/xtensa/include/uapi/asm/ptrace.h
+++ b/arch/xtensa/include/uapi/asm/ptrace.h
@@ -50,7 +50,8 @@ struct user_pt_regs {
__u32 windowstart;
__u32 windowbase;
__u32 threadptr;
- __u32 reserved[7 + 48];
+ __u32 syscall;
+ __u32 reserved[6 + 48];
__u32 a[64];
};
diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
index 0278d7dfb4d6..437b4297948d 100644
--- a/arch/xtensa/kernel/ptrace.c
+++ b/arch/xtensa/kernel/ptrace.c
@@ -52,6 +52,7 @@ static int gpr_get(struct task_struct *target,
.threadptr = regs->threadptr,
.windowbase = regs->windowbase,
.windowstart = regs->windowstart,
+ .syscall = regs->syscall,
};
memcpy(newregs.a,
@@ -91,6 +92,9 @@ static int gpr_set(struct task_struct *target,
regs->sar = newregs.sar;
regs->threadptr = newregs.threadptr;
+ if (newregs.syscall)
+ regs->syscall = newregs.syscall;
+
if (newregs.windowbase != regs->windowbase ||
newregs.windowstart != regs->windowstart) {
u32 rotws, wmask;
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] xtensa: add seccomp support
2020-07-19 2:16 [PATCH 0/3] xtensa: add seccomp support Max Filippov
2020-07-19 2:16 ` [PATCH 1/3] xtensa: expose syscall through user_pt_regs Max Filippov
@ 2020-07-19 2:16 ` Max Filippov
2020-07-19 2:16 ` [PATCH 3/3] selftests/seccomp: add xtensa support Max Filippov
2020-09-11 19:38 ` [PATCH 0/3] xtensa: add seccomp support Kees Cook
3 siblings, 0 replies; 6+ messages in thread
From: Max Filippov @ 2020-07-19 2:16 UTC (permalink / raw)
To: linux-xtensa
Cc: Chris Zankel, linux-kernel, bpf, netdev, linux-kselftest, Max Filippov
Add SECCOMP to xtensa Kconfig, select HAVE_ARCH_SECCOMP_FILTER, add
TIF_SECCOMP and call secure_computing from do_syscall_trace_enter.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
.../seccomp/seccomp-filter/arch-support.txt | 2 +-
arch/xtensa/Kconfig | 15 +++++++++++++++
arch/xtensa/include/asm/Kbuild | 1 +
arch/xtensa/include/asm/thread_info.h | 5 ++++-
arch/xtensa/kernel/ptrace.c | 4 +++-
5 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/Documentation/features/seccomp/seccomp-filter/arch-support.txt b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
index c7b837f735b1..7b3ec8ea174a 100644
--- a/Documentation/features/seccomp/seccomp-filter/arch-support.txt
+++ b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
@@ -30,5 +30,5 @@
| um: | ok |
| unicore32: | TODO |
| x86: | ok |
- | xtensa: | TODO |
+ | xtensa: | ok |
-----------------------
diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig
index a7def0991a01..a461ee051e73 100644
--- a/arch/xtensa/Kconfig
+++ b/arch/xtensa/Kconfig
@@ -24,6 +24,7 @@ config XTENSA
select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
select HAVE_ARCH_KASAN if MMU && !XIP_KERNEL
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_COPY_THREAD_TLS
select HAVE_DEBUG_KMEMLEAK
@@ -217,6 +218,20 @@ config HOTPLUG_CPU
Say N if you want to disable CPU hotplug.
+config SECCOMP
+ bool
+ prompt "Enable seccomp to safely compute untrusted bytecode"
+ help
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
config FAST_SYSCALL_XTENSA
bool "Enable fast atomic syscalls"
default n
diff --git a/arch/xtensa/include/asm/Kbuild b/arch/xtensa/include/asm/Kbuild
index 9718e9593564..c59c42a1221a 100644
--- a/arch/xtensa/include/asm/Kbuild
+++ b/arch/xtensa/include/asm/Kbuild
@@ -7,4 +7,5 @@ generic-y += mcs_spinlock.h
generic-y += param.h
generic-y += qrwlock.h
generic-y += qspinlock.h
+generic-y += seccomp.h
generic-y += user.h
diff --git a/arch/xtensa/include/asm/thread_info.h b/arch/xtensa/include/asm/thread_info.h
index c49cc4a1f39a..8918f0f20c53 100644
--- a/arch/xtensa/include/asm/thread_info.h
+++ b/arch/xtensa/include/asm/thread_info.h
@@ -112,6 +112,7 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_NOTIFY_RESUME 7 /* callback before returning to user */
#define TIF_DB_DISABLED 8 /* debug trap disabled for syscall */
#define TIF_SYSCALL_AUDIT 9 /* syscall auditing active */
+#define TIF_SECCOMP 10 /* secure computing */
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
@@ -119,9 +120,11 @@ static inline struct thread_info *current_thread_info(void)
#define _TIF_SINGLESTEP (1<<TIF_SINGLESTEP)
#define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
+#define _TIF_SECCOMP (1<<TIF_SECCOMP)
#define _TIF_WORK_MASK (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP | \
- _TIF_SYSCALL_TRACEPOINT | _TIF_SYSCALL_AUDIT)
+ _TIF_SYSCALL_TRACEPOINT | \
+ _TIF_SYSCALL_AUDIT | _TIF_SECCOMP)
#define THREAD_SIZE KERNEL_STACK_SIZE
#define THREAD_SIZE_ORDER (KERNEL_STACK_SHIFT - PAGE_SHIFT)
diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
index 437b4297948d..ce4a32bd2294 100644
--- a/arch/xtensa/kernel/ptrace.c
+++ b/arch/xtensa/kernel/ptrace.c
@@ -22,6 +22,7 @@
#include <linux/regset.h>
#include <linux/sched.h>
#include <linux/sched/task_stack.h>
+#include <linux/seccomp.h>
#include <linux/security.h>
#include <linux/signal.h>
#include <linux/smp.h>
@@ -559,7 +560,8 @@ int do_syscall_trace_enter(struct pt_regs *regs)
return 0;
}
- if (regs->syscall == NO_SYSCALL) {
+ if (regs->syscall == NO_SYSCALL ||
+ secure_computing() == -1) {
do_syscall_trace_leave(regs);
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] selftests/seccomp: add xtensa support
2020-07-19 2:16 [PATCH 0/3] xtensa: add seccomp support Max Filippov
2020-07-19 2:16 ` [PATCH 1/3] xtensa: expose syscall through user_pt_regs Max Filippov
2020-07-19 2:16 ` [PATCH 2/3] xtensa: add seccomp support Max Filippov
@ 2020-07-19 2:16 ` Max Filippov
2020-09-11 19:38 ` [PATCH 0/3] xtensa: add seccomp support Kees Cook
3 siblings, 0 replies; 6+ messages in thread
From: Max Filippov @ 2020-07-19 2:16 UTC (permalink / raw)
To: linux-xtensa
Cc: Chris Zankel, linux-kernel, bpf, netdev, linux-kselftest, Max Filippov
Xtensa returns syscall number can be obtained and changed through the
struct user_pt_regs. Syscall return value register is fixed relatively
to the current register window in the user_pt_regs, so it needs a bit of
special treatment.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 252140a52553..1b445c2e7fbe 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -122,6 +122,8 @@ struct seccomp_data {
# define __NR_seccomp 358
# elif defined(__s390__)
# define __NR_seccomp 348
+# elif defined(__xtensa__)
+# define __NR_seccomp 337
# else
# warning "seccomp syscall number unknown for this architecture"
# define __NR_seccomp 0xffff
@@ -1622,6 +1624,14 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# define SYSCALL_SYSCALL_NUM regs[4]
# define SYSCALL_RET regs[2]
# define SYSCALL_NUM_RET_SHARE_REG
+#elif defined(__xtensa__)
+# define ARCH_REGS struct user_pt_regs
+# define SYSCALL_NUM syscall
+/*
+ * On xtensa syscall return value is in the register
+ * a2 of the current window which is not fixed.
+ */
+#define SYSCALL_RET(reg) a[(reg).windowbase * 4 + 2]
#else
# error "Do not know how to find your architecture's registers and syscalls"
#endif
@@ -1693,7 +1703,8 @@ void change_syscall(struct __test_metadata *_metadata,
EXPECT_EQ(0, ret) {}
#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
- defined(__s390__) || defined(__hppa__) || defined(__riscv)
+ defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
+ defined(__xtensa__)
{
regs.SYSCALL_NUM = syscall;
}
@@ -1736,6 +1747,9 @@ void change_syscall(struct __test_metadata *_metadata,
if (syscall == -1)
#ifdef SYSCALL_NUM_RET_SHARE_REG
TH_LOG("Can't modify syscall return on this architecture");
+
+#elif defined(__xtensa__)
+ regs.SYSCALL_RET(regs) = result;
#else
regs.SYSCALL_RET = result;
#endif
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] xtensa: add seccomp support
2020-07-19 2:16 [PATCH 0/3] xtensa: add seccomp support Max Filippov
` (2 preceding siblings ...)
2020-07-19 2:16 ` [PATCH 3/3] selftests/seccomp: add xtensa support Max Filippov
@ 2020-09-11 19:38 ` Kees Cook
2020-09-11 19:58 ` Max Filippov
3 siblings, 1 reply; 6+ messages in thread
From: Kees Cook @ 2020-09-11 19:38 UTC (permalink / raw)
To: Max Filippov
Cc: linux-xtensa, Chris Zankel, linux-kernel, bpf, netdev, linux-kselftest
On Sat, Jul 18, 2020 at 07:16:51PM -0700, Max Filippov wrote:
> Hello,
>
> this series adds support for seccomp filter on xtensa and updates
> selftests/seccomp.
Hi!
Firstly, thanks for adding seccomp support! :) I would, however, ask
that you CC maintainers on these kinds of changes for feedback. I was
surprised to find the changes in the seccomp selftests today in Linus's
tree. I didn't seem to get CCed on this series, even though
get_maintainers shows this:
$ ./scripts/get_maintainer.pl 0001-selftests-seccomp-add-xtensa-support.mbox
Kees Cook <keescook@chromium.org> (supporter:SECURE COMPUTING)
Andy Lutomirski <luto@amacapital.net> (reviewer:SECURE COMPUTING)
Will Drewry <wad@chromium.org> (reviewer:SECURE COMPUTING)
Shuah Khan <shuah@kernel.org> (maintainer:KERNEL SELFTEST FRAMEWORK)
...
Regardless, I'm still glad to have more arch support! :) I'll send a
follow-up patch to refactor a bit of the selftest.
Thanks,
--
Kees Cook
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] xtensa: add seccomp support
2020-09-11 19:38 ` [PATCH 0/3] xtensa: add seccomp support Kees Cook
@ 2020-09-11 19:58 ` Max Filippov
0 siblings, 0 replies; 6+ messages in thread
From: Max Filippov @ 2020-09-11 19:58 UTC (permalink / raw)
To: Kees Cook
Cc: open list:TENSILICA XTENSA PORT (xtensa),
Chris Zankel, LKML, bpf, netdev, linux-kselftest
On Fri, Sep 11, 2020 at 12:38 PM Kees Cook <keescook@chromium.org> wrote:
> On Sat, Jul 18, 2020 at 07:16:51PM -0700, Max Filippov wrote:
> > Hello,
> >
> > this series adds support for seccomp filter on xtensa and updates
> > selftests/seccomp.
>
> Hi!
>
> Firstly, thanks for adding seccomp support! :) I would, however, ask
> that you CC maintainers on these kinds of changes for feedback. I was
> surprised to find the changes in the seccomp selftests today in Linus's
> tree. I didn't seem to get CCed on this series, even though
> get_maintainers shows this:
>
> $ ./scripts/get_maintainer.pl 0001-selftests-seccomp-add-xtensa-support.mbox
> Kees Cook <keescook@chromium.org> (supporter:SECURE COMPUTING)
> Andy Lutomirski <luto@amacapital.net> (reviewer:SECURE COMPUTING)
> Will Drewry <wad@chromium.org> (reviewer:SECURE COMPUTING)
> Shuah Khan <shuah@kernel.org> (maintainer:KERNEL SELFTEST FRAMEWORK)
> ...
Sorry about that. Looks like I've filtered out too much of the cc: list.
I'll fix my workflow.
> Regardless, I'm still glad to have more arch support! :) I'll send a
> follow-up patch to refactor a bit of the selftest.
--
Thanks.
-- Max
^ permalink raw reply [flat|nested] 6+ messages in thread