linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Palmer Dabbelt <palmer@sifive.com>
To: linux-riscv@lists.infradead.org
Cc: Palmer Dabbelt <palmer@sifive.com>,
	aou@eecs.berkeley.edu, paul@paul-moore.com, eparis@redhat.com,
	keescook@chromium.org, luto@amacapital.net, wad@chromium.org,
	Wesley Terpstra <wesley@sifive.com>,
	dhowells@redhat.com, tglx@linutronix.de, pombredanne@nexb.com,
	Greg KH <gregkh@linuxfoundation.org>,
	kstewart@linuxfoundation.org, linux-riscv@lists.infradead.org,
	linux-kernel@vger.kernel.org, linux-audit@redhat.com,
	david.abdurachmanov@gmail.com, linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Wed, 24 Oct 2018 13:40:36 -0700	[thread overview]
Message-ID: <20181024204036.8799-3-palmer@sifive.com> (raw)
In-Reply-To: <20181024204036.8799-1-palmer@sifive.com>

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1


  parent reply	other threads:[~2018-10-24 20:40 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAEn-LTqbEmWovu4t7Rs4C211+GRRU4V3B=+WmW0SOhX_b8db5Q@mail.gmail.com>
2018-10-24 20:40 ` [PATCH 0/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 20:40   ` [PATCH 1/2] Move EM_RISCV into elf-em.h Palmer Dabbelt
2018-10-24 21:26     ` Kees Cook
2018-10-27  7:46     ` Christoph Hellwig
2018-10-27  9:10       ` David Abdurachmanov
2018-10-24 20:40   ` Palmer Dabbelt [this message]
2018-10-24 21:42     ` [PATCH 2/2] RISC-V: Add support for SECCOMP Kees Cook
2018-10-24 22:34       ` Kees Cook
2018-10-25 21:02       ` Andy Lutomirski
2018-10-27  6:07         ` Palmer Dabbelt
2018-10-25 18:31     ` David Abdurachmanov
2018-10-25 20:36       ` Paul Moore
2018-10-28 11:07         ` David Abdurachmanov
2018-10-29 20:27           ` Palmer Dabbelt
2018-11-02 13:32             ` David Abdurachmanov
2018-11-02 15:51               ` Kees Cook
2018-10-27  6:07       ` Palmer Dabbelt
2018-10-27  7:55     ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181024204036.8799-3-palmer@sifive.com \
    --to=palmer@sifive.com \
    --cc=aou@eecs.berkeley.edu \
    --cc=david.abdurachmanov@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=eparis@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=kstewart@linuxfoundation.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=luto@amacapital.net \
    --cc=paul@paul-moore.com \
    --cc=pombredanne@nexb.com \
    --cc=tglx@linutronix.de \
    --cc=wad@chromium.org \
    --cc=wesley@sifive.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).