Linux-m68k Archive on lore.kernel.org
 help / color / Atom feed
From: Geert Uytterhoeven <geert@linux-m68k.org>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: Michael Schmitz <schmitzmic@gmail.com>,
	Linux/m68k <linux-m68k@vger.kernel.org>,
	Andreas Schwab <schwab@linux-m68k.org>,
	Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Subject: Re: [PATCH] m68k/kernel - wire up syscall_trace_enter/leave for m68k
Date: Wed, 26 Aug 2020 16:22:16 +0200 (CEST)
Message-ID: <alpine.DEB.2.21.2008261612360.2926@ramsan.of.borg> (raw)
In-Reply-To: <266db1b5-c470-4f94-264a-577673dd902f@physik.fu-berlin.de>

 	Hi Adrian,

On Wed, 26 Aug 2020, John Paul Adrian Glaubitz wrote:
> On 8/26/20 2:38 PM, Geert Uytterhoeven wrote:
>>> That part is outdated. It was removed in the second commit I posted, see:
>>>
>>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/sh?id=0bb605c2c7f2b4b314b91510810b226de7f34fa1
>>
>> That's the part which adds seccomp filter support.
>>
>>> Do you have the check of the return value already in syscall_trace_entry?
>>>
>>> It should check for "-1" and jump to syscall_exit if true.
>>
>> No, as that's needed only for seccomp filter support, AFAIU.
>>
>> Have a look at arm, where seccomp filter support is optional, depending on ABI.
>
> As far as I know, filter support is mandatory these days. At least for SH, libseccomp
> sent me away with my PR and told me to come back until the kernel has filter support.

OK.

> Maybe I'm missing something but let's put Michael Karcher in the loop, he knows better
> as he helped me with the kernel parts of SECCOMP on SH.

More work on top of the previous patch. It starts to look better:

    -FAILED: 13 / 86 tests passed.
    +FAILED: 35 / 86 tests passed.

But there are still fishy failures.  Most popular one is:

     Test exited normally instead of by signal (code: 0)

And things like:

     Expected 0 (0) == syscall(__NR_getpid) (705)
     Expected 0 (-270272472) == ptrace(PTRACE_GETREGS, tracee, 0, &regs) (0)



From 1ae515061575024081af930f4e5f9283910648de Mon Sep 17 00:00:00 2001
From: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Wed, 26 Aug 2020 16:11:35 +0200
Subject: [PATCH] [WIP] seccomp filter support

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
---
  arch/m68k/68000/entry.S         |  2 ++
  arch/m68k/Kconfig               |  1 +
  arch/m68k/coldfire/entry.S      |  2 ++
  arch/m68k/include/asm/syscall.h | 41 +++++++++++++++++++++++++++++++++
  arch/m68k/kernel/ptrace.c       |  3 ++-
  5 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/arch/m68k/68000/entry.S b/arch/m68k/68000/entry.S
index 259b3661b614168f..3526970e3c10535f 100644
--- a/arch/m68k/68000/entry.S
+++ b/arch/m68k/68000/entry.S
@@ -47,6 +47,8 @@ do_trace:
  	jbsr	syscall_trace_enter
  	RESTORE_SWITCH_STACK
  	addql	#4,%sp
+	tstl	%d0
+	jne	ret_from_exception
  	movel	%sp@(PT_OFF_ORIG_D0),%d1
  	movel	#-ENOSYS,%d0
  	cmpl	#NR_syscalls,%d1
diff --git a/arch/m68k/Kconfig b/arch/m68k/Kconfig
index 29ab228a9a721939..2166c9d84794a969 100644
--- a/arch/m68k/Kconfig
+++ b/arch/m68k/Kconfig
@@ -19,6 +19,7 @@ config M68K
  	select GENERIC_STRNCPY_FROM_USER if MMU
  	select GENERIC_STRNLEN_USER if MMU
  	select HAVE_AOUT if MMU
+	select HAVE_ARCH_SECCOMP_FILTER
  	select HAVE_ASM_MODVERSIONS
  	select HAVE_DEBUG_BUGVERBOSE
  	select HAVE_FUTEX_CMPXCHG if MMU && FUTEX
diff --git a/arch/m68k/coldfire/entry.S b/arch/m68k/coldfire/entry.S
index d43a02795a4a445e..13bf787968273165 100644
--- a/arch/m68k/coldfire/entry.S
+++ b/arch/m68k/coldfire/entry.S
@@ -92,6 +92,8 @@ ENTRY(system_call)
  	jbsr	syscall_trace_enter
  	RESTORE_SWITCH_STACK
  	addql	#4,%sp
+	tstl	%d0
+	jne	ret_from_exception
  	movel	%d3,%a0
  	jbsr	%a0@
  	movel	%d0,%sp@(PT_OFF_D0)		/* save the return value */
diff --git a/arch/m68k/include/asm/syscall.h b/arch/m68k/include/asm/syscall.h
index 465ac039be09a1b8..ac0f5d997be63b07 100644
--- a/arch/m68k/include/asm/syscall.h
+++ b/arch/m68k/include/asm/syscall.h
@@ -4,6 +4,47 @@

  #include <uapi/linux/audit.h>

+static inline long syscall_get_nr(struct task_struct *tsk,
+				  struct pt_regs *regs)
+{
+	return regs->orig_d0;
+}
+
+static inline void syscall_rollback(struct task_struct *task,
+				    struct pt_regs *regs)
+{
+	regs->d0 = regs->orig_d0;
+}
+
+static inline long syscall_get_return_value(struct task_struct *task,
+					    struct pt_regs *regs)
+{
+	return regs->d0;
+}
+
+static inline void syscall_set_return_value(struct task_struct *task,
+					    struct pt_regs *regs,
+					    int error, long val)
+{
+	regs->d0 = error ?: val;
+}
+
+static inline void syscall_get_arguments(struct task_struct *tsk,
+					 struct pt_regs *regs,
+					 unsigned long *args)
+{
+	memcpy(args, &regs->d1, 6 * sizeof(args[0]));
+}
+
+static inline void syscall_set_arguments(struct task_struct *task,
+					 struct pt_regs *regs,
+					 unsigned int i, unsigned int n,
+					 const unsigned long *args)
+{
+	BUG_ON(i + n > 6);
+	memcpy(&regs->d1 + i, args, n * sizeof(args[0]));
+}
+
  static inline int syscall_get_arch(struct task_struct *task)
  {
  	return AUDIT_ARCH_M68K;
diff --git a/arch/m68k/kernel/ptrace.c b/arch/m68k/kernel/ptrace.c
index ec5653b85dcdb4f9..a3a0a230dcdfc953 100644
--- a/arch/m68k/kernel/ptrace.c
+++ b/arch/m68k/kernel/ptrace.c
@@ -279,7 +279,8 @@ asmlinkage int syscall_trace_enter(void)
  	if (test_thread_flag(TIF_SYSCALL_TRACE))
  		ret = tracehook_report_syscall_entry(task_pt_regs(current));

-	secure_computing_strict(task_pt_regs(current)->orig_d0);
+	if (secure_computing())
+		return -1;

  	return ret;
  }
-- 
2.17.1



Gr{oetje,eeting}s,

 						Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
 							    -- Linus Torvalds

  reply index

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-23 10:03 syscall_trace_enter and syscall_trace_leave for m68k w/MMU John Paul Adrian Glaubitz
2020-07-23 22:56 ` Michael Schmitz
2020-07-25  1:48 ` [PATCH RFC] m68k/kernel - wire up syscall_trace_enter/leave for m68k Michael Schmitz
2020-07-26  1:28 ` [PATCH RFC v2] " Michael Schmitz
2020-07-27  4:19 ` [PATCH] " Michael Schmitz
2020-07-27 10:03   ` John Paul Adrian Glaubitz
2020-07-27 20:48     ` Michael Schmitz
2020-07-27 21:09       ` John Paul Adrian Glaubitz
2020-08-26 11:18         ` Geert Uytterhoeven
2020-08-26 11:50           ` John Paul Adrian Glaubitz
2020-08-26 11:23   ` Geert Uytterhoeven
2020-08-26 11:27     ` John Paul Adrian Glaubitz
2020-08-26 12:32       ` Geert Uytterhoeven
2020-08-26 12:35         ` John Paul Adrian Glaubitz
2020-08-26 12:38           ` Geert Uytterhoeven
2020-08-26 12:42             ` John Paul Adrian Glaubitz
2020-08-26 14:22               ` Geert Uytterhoeven [this message]
2020-08-27  0:08     ` Michael Schmitz
2020-08-27  9:19       ` Geert Uytterhoeven
2020-08-27 19:29         ` Michael Schmitz
2020-08-28  8:58           ` Geert Uytterhoeven
2020-08-05 12:23 ` syscall_trace_enter and syscall_trace_leave for m68k w/MMU Greg Ungerer
2020-08-05 12:36   ` John Paul Adrian Glaubitz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.21.2008261612360.2926@ramsan.of.borg \
    --to=geert@linux-m68k.org \
    --cc=glaubitz@physik.fu-berlin.de \
    --cc=kernel@mkarcher.dialup.fu-berlin.de \
    --cc=linux-m68k@vger.kernel.org \
    --cc=schmitzmic@gmail.com \
    --cc=schwab@linux-m68k.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-m68k Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-m68k/0 linux-m68k/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-m68k linux-m68k/ https://lore.kernel.org/linux-m68k \
		linux-m68k@vger.kernel.org linux-m68k@lists.linux-m68k.org
	public-inbox-index linux-m68k

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-m68k


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git