[PATCH v3 0/4] um: Add seccomp support

[PATCH v3 0/4] um: Add seccomp support

[Mickaël Salaün]

This series add seccomp support to User-mode Linux (i386 and x86_64
subarchitectures) and fix ptrace issues. This apply on v4.4-rc7 and pass all
the 48 tests from selftest/seccomp plus the UML ptsc test.

Changes since v2:
* remove get_syscall() from os.h and don't include it in syscall.c [1/4]
* rebase to v4.4-rc7

Changes since v1; addressed Richard Weinberger's comments:
* fix a new PTRACE_SETREGS bug on x86_64 [1/4]
* fix an old PTRACE_SETREGS bug when updating orig_ax on i386 [1/4]

Regards,
 Mickaël

Mickaël Salaün (4):
  um: Fix ptrace GETREGS/SETREGS bugs
  selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK
  um: Add full asm/syscall.h support
  um: Add seccomp support

 .../seccomp/seccomp-filter/arch-support.txt        |   2 +-
 arch/um/Kconfig.common                             |   1 +
 arch/um/Kconfig.um                                 |  16 +++
 arch/um/include/asm/syscall-generic.h              | 138 +++++++++++++++++++++
 arch/um/include/asm/thread_info.h                  |   2 +
 arch/um/include/shared/os.h                        |   1 -
 arch/um/kernel/skas/syscall.c                      |  31 +++--
 arch/um/os-Linux/skas/process.c                    |   7 --
 arch/x86/um/asm/syscall.h                          |   1 +
 arch/x86/um/ptrace_32.c                            |   8 +-
 tools/testing/selftests/seccomp/seccomp_bpf.c      |  27 +++-
 11 files changed, 205 insertions(+), 29 deletions(-)
 create mode 100644 arch/um/include/asm/syscall-generic.h

-- 
2.6.4

[PATCH v3 1/4] um: Fix ptrace GETREGS/SETREGS bugs

[Mickaël Salaün]

This fix two related bugs:
* PTRACE_GETREGS doesn't get the right orig_ax (syscall) value
* PTRACE_SETREGS can't set the orig_ax value (erased by initial value)

Get rid of the now useless and error-prone get_syscall().

Fix inconsistent behavior in the ptrace implementation for i386 when
updating orig_eax automatically update the syscall number as well. This
is now updated in handle_syscall().

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Thomas Meyer <thomas@m3y3r.de>
Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Anton Ivanov <aivanov@brocade.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
---
 arch/um/include/shared/os.h     |  1 -
 arch/um/kernel/skas/syscall.c   | 26 ++++++++++++++------------
 arch/um/os-Linux/skas/process.c |  7 -------
 arch/x86/um/ptrace_32.c         |  8 +++-----
 4 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
index 868e6c3f83dd..21d704b82e09 100644
--- a/arch/um/include/shared/os.h
+++ b/arch/um/include/shared/os.h
@@ -282,7 +282,6 @@ extern void initial_thread_cb_skas(void (*proc)(void *),
 				 void *arg);
 extern void halt_skas(void);
 extern void reboot_skas(void);
-extern int get_syscall(struct uml_pt_regs *regs);
 
 /* irq.c */
 extern int os_waiting_for_events(struct irq_fd *active_fds);
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 1683b8efdfda..6cadce761bcf 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -7,29 +7,31 @@
 #include <linux/ptrace.h>
 #include <kern_util.h>
 #include <sysdep/ptrace.h>
+#include <sysdep/ptrace_user.h>
 #include <sysdep/syscalls.h>
-#include <os.h>
 
 void handle_syscall(struct uml_pt_regs *r)
 {
 	struct pt_regs *regs = container_of(r, struct pt_regs, regs);
-	long result;
 	int syscall;
 
-	if (syscall_trace_enter(regs)) {
-		result = -ENOSYS;
+	/* Initialize the syscall number and default return value. */
+	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
+	PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
+
+	if (syscall_trace_enter(regs))
 		goto out;
-	}
 
-	syscall = get_syscall(r);
+	/* Update the syscall number after orig_ax has potentially been updated
+	 * with ptrace.
+	 */
+	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
+	syscall = UPT_SYSCALL_NR(r);
 
-	if ((syscall > __NR_syscall_max) || syscall < 0)
-		result = -ENOSYS;
-	else
-		result = EXECUTE_SYSCALL(syscall, regs);
+	if (syscall >= 0 && syscall <= __NR_syscall_max)
+		PT_REGS_SET_SYSCALL_RETURN(regs,
+				EXECUTE_SYSCALL(syscall, regs));
 
 out:
-	PT_REGS_SET_SYSCALL_RETURN(regs, result);
-
 	syscall_trace_leave(regs);
 }
diff --git a/arch/um/os-Linux/skas/process.c b/arch/um/os-Linux/skas/process.c
index b856c66ebd3a..23025d645160 100644
--- a/arch/um/os-Linux/skas/process.c
+++ b/arch/um/os-Linux/skas/process.c
@@ -172,13 +172,6 @@ static void handle_trap(int pid, struct uml_pt_regs *regs,
 	handle_syscall(regs);
 }
 
-int get_syscall(struct uml_pt_regs *regs)
-{
-	UPT_SYSCALL_NR(regs) = PT_SYSCALL_NR(regs->gp);
-
-	return UPT_SYSCALL_NR(regs);
-}
-
 extern char __syscall_stub_start[];
 
 static int userspace_tramp(void *stack)
diff --git a/arch/x86/um/ptrace_32.c b/arch/x86/um/ptrace_32.c
index a29756f2d940..47c78d5e5c32 100644
--- a/arch/x86/um/ptrace_32.c
+++ b/arch/x86/um/ptrace_32.c
@@ -68,6 +68,7 @@ static const int reg_offsets[] = {
 	[EFL] = HOST_EFLAGS,
 	[UESP] = HOST_SP,
 	[SS] = HOST_SS,
+	[ORIG_EAX] = HOST_ORIG_AX,
 };
 
 int putreg(struct task_struct *child, int regno, unsigned long value)
@@ -83,6 +84,7 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 	case EAX:
 	case EIP:
 	case UESP:
+	case ORIG_EAX:
 		break;
 	case FS:
 		if (value && (value & 3) != 3)
@@ -108,9 +110,6 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 		value &= FLAG_MASK;
 		child->thread.regs.regs.gp[HOST_EFLAGS] |= value;
 		return 0;
-	case ORIG_EAX:
-		child->thread.regs.regs.syscall = value;
-		return 0;
 	default :
 		panic("Bad register in putreg() : %d\n", regno);
 	}
@@ -143,8 +142,6 @@ unsigned long getreg(struct task_struct *child, int regno)
 
 	regno >>= 2;
 	switch (regno) {
-	case ORIG_EAX:
-		return child->thread.regs.regs.syscall;
 	case FS:
 	case GS:
 	case DS:
@@ -163,6 +160,7 @@ unsigned long getreg(struct task_struct *child, int regno)
 	case EDI:
 	case EBP:
 	case EFL:
+	case ORIG_EAX:
 		break;
 	default:
 		panic("Bad register in getreg() : %d\n", regno);
-- 
2.6.4

[PATCH v3 2/4] selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK

[Mickaël Salaün]

Some architectures do not implement PTRACE_GETREGSET nor
PTRACE_SETREGSET (required by HAVE_ARCH_TRACEHOOK) but only implement
PTRACE_GETREGS and PTRACE_SETREGS (e.g. User-mode Linux).

This improve seccomp selftest portability for architectures without
HAVE_ARCH_TRACEHOOK support by defining a new trigger HAVE_GETREGS. For
now, this is only enabled for i386 and x86_64 architectures. This is
required to be able to run this tests on User-mode Linux.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
---
 tools/testing/selftests/seccomp/seccomp_bpf.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 882fe83a3554..b9453b838162 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1246,11 +1246,24 @@ TEST_F(TRACE_poke, getpid_runs_normally)
 # error "Do not know how to find your architecture's registers and syscalls"
 #endif
 
+/* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
+ * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
+ */
+#if defined(__x86_64__) || defined(__i386__)
+#define HAVE_GETREGS
+#endif
+
 /* Architecture-specific syscall fetching routine. */
 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
 {
-	struct iovec iov;
 	ARCH_REGS regs;
+#ifdef HAVE_GETREGS
+	EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, &regs)) {
+		TH_LOG("PTRACE_GETREGS failed");
+		return -1;
+	}
+#else
+	struct iovec iov;
 
 	iov.iov_base = &regs;
 	iov.iov_len = sizeof(regs);
@@ -1258,6 +1271,7 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
 		TH_LOG("PTRACE_GETREGSET failed");
 		return -1;
 	}
+#endif
 
 	return regs.SYSCALL_NUM;
 }
@@ -1266,13 +1280,16 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
 void change_syscall(struct __test_metadata *_metadata,
 		    pid_t tracee, int syscall)
 {
-	struct iovec iov;
 	int ret;
 	ARCH_REGS regs;
-
+#ifdef HAVE_GETREGS
+	ret = ptrace(PTRACE_GETREGS, tracee, 0, &regs);
+#else
+	struct iovec iov;
 	iov.iov_base = &regs;
 	iov.iov_len = sizeof(regs);
 	ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
+#endif
 	EXPECT_EQ(0, ret);
 
 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
@@ -1312,9 +1329,13 @@ void change_syscall(struct __test_metadata *_metadata,
 	if (syscall == -1)
 		regs.SYSCALL_RET = 1;
 
+#ifdef HAVE_GETREGS
+	ret = ptrace(PTRACE_SETREGS, tracee, 0, &regs);
+#else
 	iov.iov_base = &regs;
 	iov.iov_len = sizeof(regs);
 	ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
+#endif
 	EXPECT_EQ(0, ret);
 }
 
-- 
2.6.4

[PATCH v3 3/4] um: Add full asm/syscall.h support

[Mickaël Salaün]

Add subarchitecture-independent implementation of asm-generic/syscall.h
allowing access to user system call parameters and results:
* syscall_get_nr()
* syscall_rollback()
* syscall_get_error()
* syscall_get_return_value()
* syscall_set_return_value()
* syscall_get_arguments()
* syscall_set_arguments()
* syscall_get_arch() provided by arch/x86/um/asm/syscall.h

This provides the necessary syscall helpers needed by
HAVE_ARCH_SECCOMP_FILTER plus syscall_get_error().

This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425).

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
---
 arch/um/include/asm/syscall-generic.h | 138 ++++++++++++++++++++++++++++++++++
 arch/x86/um/asm/syscall.h             |   1 +
 2 files changed, 139 insertions(+)
 create mode 100644 arch/um/include/asm/syscall-generic.h

diff --git a/arch/um/include/asm/syscall-generic.h b/arch/um/include/asm/syscall-generic.h
new file mode 100644
index 000000000000..9fb9cf8cd39a
--- /dev/null
+++ b/arch/um/include/asm/syscall-generic.h
@@ -0,0 +1,138 @@
+/*
+ * Access to user system call parameters and results
+ *
+ * See asm-generic/syscall.h for function descriptions.
+ *
+ * Copyright (C) 2015 Mickaël Salaün <mic@digikod.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef __UM_SYSCALL_GENERIC_H
+#define __UM_SYSCALL_GENERIC_H
+
+#include <asm/ptrace.h>
+#include <linux/err.h>
+#include <linux/sched.h>
+#include <sysdep/ptrace.h>
+
+static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs)
+{
+
+	return PT_REGS_SYSCALL_NR(regs);
+}
+
+static inline void syscall_rollback(struct task_struct *task,
+				    struct pt_regs *regs)
+{
+	/* do nothing */
+}
+
+static inline long syscall_get_error(struct task_struct *task,
+				     struct pt_regs *regs)
+{
+	const long error = regs_return_value(regs);
+
+	return IS_ERR_VALUE(error) ? error : 0;
+}
+
+static inline long syscall_get_return_value(struct task_struct *task,
+					    struct pt_regs *regs)
+{
+	return regs_return_value(regs);
+}
+
+static inline void syscall_set_return_value(struct task_struct *task,
+					    struct pt_regs *regs,
+					    int error, long val)
+{
+	PT_REGS_SET_SYSCALL_RETURN(regs, (long) error ?: val);
+}
+
+static inline void syscall_get_arguments(struct task_struct *task,
+					 struct pt_regs *regs,
+					 unsigned int i, unsigned int n,
+					 unsigned long *args)
+{
+	const struct uml_pt_regs *r = &regs->regs;
+
+	switch (i) {
+	case 0:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG1(r);
+	case 1:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG2(r);
+	case 2:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG3(r);
+	case 3:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG4(r);
+	case 4:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG5(r);
+	case 5:
+		if (!n--)
+			break;
+		*args++ = UPT_SYSCALL_ARG6(r);
+	case 6:
+		if (!n--)
+			break;
+	default:
+		BUG();
+		break;
+	}
+}
+
+static inline void syscall_set_arguments(struct task_struct *task,
+					 struct pt_regs *regs,
+					 unsigned int i, unsigned int n,
+					 const unsigned long *args)
+{
+	struct uml_pt_regs *r = &regs->regs;
+
+	switch (i) {
+	case 0:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG1(r) = *args++;
+	case 1:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG2(r) = *args++;
+	case 2:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG3(r) = *args++;
+	case 3:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG4(r) = *args++;
+	case 4:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG5(r) = *args++;
+	case 5:
+		if (!n--)
+			break;
+		UPT_SYSCALL_ARG6(r) = *args++;
+	case 6:
+		if (!n--)
+			break;
+	default:
+		BUG();
+		break;
+	}
+}
+
+/* See arch/x86/um/asm/syscall.h for syscall_get_arch() definition. */
+
+#endif	/* __UM_SYSCALL_GENERIC_H */
diff --git a/arch/x86/um/asm/syscall.h b/arch/x86/um/asm/syscall.h
index 81d6562ce01d..11ab90dc5f14 100644
--- a/arch/x86/um/asm/syscall.h
+++ b/arch/x86/um/asm/syscall.h
@@ -1,6 +1,7 @@
 #ifndef __UM_ASM_SYSCALL_H
 #define __UM_ASM_SYSCALL_H
 
+#include <asm/syscall-generic.h>
 #include <uapi/linux/audit.h>
 
 typedef asmlinkage long (*sys_call_ptr_t)(unsigned long, unsigned long,
-- 
2.6.4

[PATCH v3 4/4] um: Add seccomp support

[Mickaël Salaün]

This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
subarchitectures.

secure_computing() is called first in handle_syscall() so that the
syscall emulation will be aborted quickly if matching a seccomp rule.

This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425).

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
---
 .../features/seccomp/seccomp-filter/arch-support.txt     |  2 +-
 arch/um/Kconfig.common                                   |  1 +
 arch/um/Kconfig.um                                       | 16 ++++++++++++++++
 arch/um/include/asm/thread_info.h                        |  2 ++
 arch/um/kernel/skas/syscall.c                            |  5 +++++
 5 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/Documentation/features/seccomp/seccomp-filter/arch-support.txt b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
index 76d39d66a5d7..4f66ec133951 100644
--- a/Documentation/features/seccomp/seccomp-filter/arch-support.txt
+++ b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
@@ -33,7 +33,7 @@
     |          sh: | TODO |
     |       sparc: | TODO |
     |        tile: |  ok  |
-    |          um: | TODO |
+    |          um: |  ok  |
     |   unicore32: | TODO |
     |         x86: |  ok  |
     |      xtensa: | TODO |
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index d195a87ca542..cc0013475444 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -2,6 +2,7 @@ config UML
 	bool
 	default y
 	select HAVE_ARCH_AUDITSYSCALL
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_UID16
 	select HAVE_FUTEX_CMPXCHG if FUTEX
 	select GENERIC_IRQ_SHOW
diff --git a/arch/um/Kconfig.um b/arch/um/Kconfig.um
index 28a9885e3a37..4b2ed5858b2e 100644
--- a/arch/um/Kconfig.um
+++ b/arch/um/Kconfig.um
@@ -104,3 +104,19 @@ config PGTABLE_LEVELS
 	int
 	default 3 if 3_LEVEL_PGTABLES
 	default 2
+
+config SECCOMP
+	def_bool y
+	prompt "Enable seccomp to safely compute untrusted bytecode"
+	---help---
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y.
diff --git a/arch/um/include/asm/thread_info.h b/arch/um/include/asm/thread_info.h
index 53968aaf76f9..053baff03674 100644
--- a/arch/um/include/asm/thread_info.h
+++ b/arch/um/include/asm/thread_info.h
@@ -62,11 +62,13 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_SYSCALL_AUDIT	6
 #define TIF_RESTORE_SIGMASK	7
 #define TIF_NOTIFY_RESUME	8
+#define TIF_SECCOMP		9	/* secure computing */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_MEMDIE		(1 << TIF_MEMDIE)
 #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 
 #endif
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 6cadce761bcf..48b0dcbd87be 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -5,6 +5,7 @@
 
 #include <linux/kernel.h>
 #include <linux/ptrace.h>
+#include <linux/seccomp.h>
 #include <kern_util.h>
 #include <sysdep/ptrace.h>
 #include <sysdep/ptrace_user.h>
@@ -19,6 +20,10 @@ void handle_syscall(struct uml_pt_regs *r)
 	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
 	PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
 
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing() == -1)
+		return;
+
 	if (syscall_trace_enter(regs))
 		goto out;
 
-- 
2.6.4

Re: [PATCH v3 0/4] um: Add seccomp support

[Kees Cook]

On Tue, Dec 29, 2015 at 12:35 PM, Mickaël Salaün <mic@digikod.net> wrote:
> This series add seccomp support to User-mode Linux (i386 and x86_64
> subarchitectures) and fix ptrace issues. This apply on v4.4-rc7 and pass all
> the 48 tests from selftest/seccomp plus the UML ptsc test.
>
> Changes since v2:
> * remove get_syscall() from os.h and don't include it in syscall.c [1/4]
> * rebase to v4.4-rc7
>
> Changes since v1; addressed Richard Weinberger's comments:
> * fix a new PTRACE_SETREGS bug on x86_64 [1/4]
> * fix an old PTRACE_SETREGS bug when updating orig_ax on i386 [1/4]

Thanks for working on this!

Acked-by: Kees Cook <keescook@chromium.org>

Feel free to pull this through the uml tree.

Thanks!

-Kees

>
> Regards,
>  Mickaël
>
> Mickaël Salaün (4):
>   um: Fix ptrace GETREGS/SETREGS bugs
>   selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK
>   um: Add full asm/syscall.h support
>   um: Add seccomp support
>
>  .../seccomp/seccomp-filter/arch-support.txt        |   2 +-
>  arch/um/Kconfig.common                             |   1 +
>  arch/um/Kconfig.um                                 |  16 +++
>  arch/um/include/asm/syscall-generic.h              | 138 +++++++++++++++++++++
>  arch/um/include/asm/thread_info.h                  |   2 +
>  arch/um/include/shared/os.h                        |   1 -
>  arch/um/kernel/skas/syscall.c                      |  31 +++--
>  arch/um/os-Linux/skas/process.c                    |   7 --
>  arch/x86/um/asm/syscall.h                          |   1 +
>  arch/x86/um/ptrace_32.c                            |   8 +-
>  tools/testing/selftests/seccomp/seccomp_bpf.c      |  27 +++-
>  11 files changed, 205 insertions(+), 29 deletions(-)
>  create mode 100644 arch/um/include/asm/syscall-generic.h
>
> --
> 2.6.4
>



-- 
Kees Cook
Chrome OS & Brillo Security

Re: [PATCH v3 0/4] um: Add seccomp support

[David Drysdale]

On Mon, Jan 4, 2016 at 8:13 PM, Kees Cook <keescook@chromium.org> wrote:
> On Tue, Dec 29, 2015 at 12:35 PM, Mickaël Salaün <mic@digikod.net> wrote:
>> This series add seccomp support to User-mode Linux (i386 and x86_64
>> subarchitectures) and fix ptrace issues. This apply on v4.4-rc7 and pass all
>> the 48 tests from selftest/seccomp plus the UML ptsc test.
>>
>> Changes since v2:
>> * remove get_syscall() from os.h and don't include it in syscall.c [1/4]
>> * rebase to v4.4-rc7
>>
>> Changes since v1; addressed Richard Weinberger's comments:
>> * fix a new PTRACE_SETREGS bug on x86_64 [1/4]
>> * fix an old PTRACE_SETREGS bug when updating orig_ax on i386 [1/4]
>
> Thanks for working on this!
>
> Acked-by: Kees Cook <keescook@chromium.org>
>
> Feel free to pull this through the uml tree.
>
> Thanks!
>
> -Kees

I also had a version of Meredydd Luff's original patch in my local tree so I
could do UML testing of Capsicum (which uses seccomp for some of its
userspace implementation).  I've replaced my patch with this version, as
it's much more complete, and all my tests still work.  Which I guess is
kind of:

Tested-by: David Drysdale <drysdale@google.com>

Many thanks,
David

>>
>> Regards,
>>  Mickaël
>>
>> Mickaël Salaün (4):
>>   um: Fix ptrace GETREGS/SETREGS bugs
>>   selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK
>>   um: Add full asm/syscall.h support
>>   um: Add seccomp support
>>
>>  .../seccomp/seccomp-filter/arch-support.txt        |   2 +-
>>  arch/um/Kconfig.common                             |   1 +
>>  arch/um/Kconfig.um                                 |  16 +++
>>  arch/um/include/asm/syscall-generic.h              | 138 +++++++++++++++++++++
>>  arch/um/include/asm/thread_info.h                  |   2 +
>>  arch/um/include/shared/os.h                        |   1 -
>>  arch/um/kernel/skas/syscall.c                      |  31 +++--
>>  arch/um/os-Linux/skas/process.c                    |   7 --
>>  arch/x86/um/asm/syscall.h                          |   1 +
>>  arch/x86/um/ptrace_32.c                            |   8 +-
>>  tools/testing/selftests/seccomp/seccomp_bpf.c      |  27 +++-
>>  11 files changed, 205 insertions(+), 29 deletions(-)
>>  create mode 100644 arch/um/include/asm/syscall-generic.h
>>
>> --
>> 2.6.4
>>
>
>
>
> --
> Kees Cook
> Chrome OS & Brillo Security

Re: [PATCH v3 0/4] um: Add seccomp support

[Richard Weinberger]

Am 06.01.2016 um 15:15 schrieb David Drysdale:
> On Mon, Jan 4, 2016 at 8:13 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Tue, Dec 29, 2015 at 12:35 PM, Mickaël Salaün <mic@digikod.net> wrote:
>>> This series add seccomp support to User-mode Linux (i386 and x86_64
>>> subarchitectures) and fix ptrace issues. This apply on v4.4-rc7 and pass all
>>> the 48 tests from selftest/seccomp plus the UML ptsc test.
>>>
>>> Changes since v2:
>>> * remove get_syscall() from os.h and don't include it in syscall.c [1/4]
>>> * rebase to v4.4-rc7
>>>
>>> Changes since v1; addressed Richard Weinberger's comments:
>>> * fix a new PTRACE_SETREGS bug on x86_64 [1/4]
>>> * fix an old PTRACE_SETREGS bug when updating orig_ax on i386 [1/4]
>>
>> Thanks for working on this!
>>
>> Acked-by: Kees Cook <keescook@chromium.org>
>>
>> Feel free to pull this through the uml tree.
>>
>> Thanks!
>>
>> -Kees
> 
> I also had a version of Meredydd Luff's original patch in my local tree so I
> could do UML testing of Capsicum (which uses seccomp for some of its
> userspace implementation).  I've replaced my patch with this version, as
> it's much more complete, and all my tests still work.  Which I guess is
> kind of:
> 
> Tested-by: David Drysdale <drysdale@google.com>

Thank you guys!
I'm queuing this for 4.5.

Thanks,
//richard

Re: [PATCH v3 0/4] um: Add seccomp support

[Richard Weinberger]

Am 29.12.2015 um 21:35 schrieb Mickaël Salaün:
> This series add seccomp support to User-mode Linux (i386 and x86_64
> subarchitectures) and fix ptrace issues. This apply on v4.4-rc7 and pass all
> the 48 tests from selftest/seccomp plus the UML ptsc test.
> 
> Changes since v2:
> * remove get_syscall() from os.h and don't include it in syscall.c [1/4]
> * rebase to v4.4-rc7
> 
> Changes since v1; addressed Richard Weinberger's comments:
> * fix a new PTRACE_SETREGS bug on x86_64 [1/4]
> * fix an old PTRACE_SETREGS bug when updating orig_ax on i386 [1/4]
> 
> Regards,
>  Mickaël
> 
> Mickaël Salaün (4):
>   um: Fix ptrace GETREGS/SETREGS bugs
>   selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK
>   um: Add full asm/syscall.h support
>   um: Add seccomp support

Applied!

Thanks,
//richard