From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 585A6C433E2 for ; Sat, 29 Aug 2020 01:56:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3689B207BB for ; Sat, 29 Aug 2020 01:56:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726584AbgH2B4O (ORCPT ); Fri, 28 Aug 2020 21:56:14 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:47880 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726392AbgH2B4O (ORCPT ); Fri, 28 Aug 2020 21:56:14 -0400 Date: Fri, 28 Aug 2020 21:56:13 -0400 From: Rich Felker To: linux-kernel@vger.kernel.org Cc: Kees Cook , Andy Lutomirski , Will Drewry Subject: [PATCH] seccomp: kill process instead of thread for unknown actions Message-ID: <20200829015609.GA32566@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Asynchronous termination of a thread outside of the userspace thread library's knowledge is an unsafe operation that leaves the process in an inconsistent, corrupt, and possibly unrecoverable state. In order to make new actions that may be added in the future safe on kernels not aware of them, change the default action from SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. Signed-off-by: Rich Felker --- This fundamental problem with SECCOMP_RET_KILL_THREAD, and that it should be considered unsafe and deprecated, was recently noted/fixed seccomp in the man page and its example. Here I've only changed the default action for new/unknown action codes. Ideally the behavior for strict seccomp mode would be changed too but I think that breaks stability policy; in any case it's less likely to be an issue since strict mode is hard or impossible to use reasonably in a multithreaded process. Unfortunately changing this now won't help older kernels where unknown new actions would still be handled unsafely, but at least it makes it so the problem will fade away over time. kernel/seccomp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d653d8426de9..ce1875fa6b39 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -910,10 +910,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, seccomp_init_siginfo(&info, this_syscall, data); do_coredump(&info); } - if (action == SECCOMP_RET_KILL_PROCESS) - do_group_exit(SIGSYS); - else + if (action == SECCOMP_RET_KILL_THREAD) do_exit(SIGSYS); + else + do_group_exit(SIGSYS); } unreachable(); -- 2.21.0