linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v1 0/3] Fix seccomp for UM (next)
@ 2016-07-11 21:56 Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
                   ` (3 more replies)
  0 siblings, 4 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:56 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Hi,

This series fix the recent seccomp update for the User-mode Linux architecture
(32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
(close the hole where ptrace can change a syscall out from under seccomp).

Regards,

Mickaël Salaün (3):
  um/ptrace: Fix the syscall_trace_leave call
  um/ptrace: Fix the syscall number update after a ptrace
  seccomp: Remove 2-phase API documentation

 arch/Kconfig                  | 11 -----------
 arch/um/kernel/skas/syscall.c | 10 +++-------
 arch/x86/um/ptrace_32.c       |  3 +++
 arch/x86/um/ptrace_64.c       |  4 ++++
 4 files changed, 10 insertions(+), 18 deletions(-)

-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call
  2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Keep the same semantic as before the commit 26703c636c1f: deallocate
audit context and fake a proper syscall exit.

This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN      ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!

Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
 arch/um/kernel/skas/syscall.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index ef4b8f949b51..0728fee94398 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -21,11 +21,11 @@ void handle_syscall(struct uml_pt_regs *r)
 	PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
 
 	if (syscall_trace_enter(regs))
-		return;
+		goto out;
 
 	/* Do the seccomp check after ptrace; failures should be fast. */
 	if (secure_computing(NULL) == -1)
-		return;
+		goto out;
 
 	/* Update the syscall number after orig_ax has potentially been updated
 	 * with ptrace.
@@ -37,5 +37,6 @@ void handle_syscall(struct uml_pt_regs *r)
 		PT_REGS_SET_SYSCALL_RETURN(regs,
 				EXECUTE_SYSCALL(syscall, regs));
 
+out:
 	syscall_trace_leave(regs);
 }
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace
  2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
  2016-07-12  1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Update the syscall number after earch PTRACE_SETREGS on ORIG_*AX.

This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.

This fix four seccomp_bpf tests:
> [ RUN      ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [     FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN      ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [     FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN      ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [     FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN      ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [     FAIL ] TRACE_syscall.kill_after_ptrace

Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
 arch/um/kernel/skas/syscall.c | 5 -----
 arch/x86/um/ptrace_32.c       | 3 +++
 arch/x86/um/ptrace_64.c       | 4 ++++
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 0728fee94398..b783ac87d98a 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -27,12 +27,7 @@ void handle_syscall(struct uml_pt_regs *r)
 	if (secure_computing(NULL) == -1)
 		goto out;
 
-	/* Update the syscall number after orig_ax has potentially been updated
-	 * with ptrace.
-	 */
-	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
 	syscall = UPT_SYSCALL_NR(r);
-
 	if (syscall >= 0 && syscall <= __NR_syscall_max)
 		PT_REGS_SET_SYSCALL_RETURN(regs,
 				EXECUTE_SYSCALL(syscall, regs));
diff --git a/arch/x86/um/ptrace_32.c b/arch/x86/um/ptrace_32.c
index ebd4dd6ef73b..a7ef7b131e25 100644
--- a/arch/x86/um/ptrace_32.c
+++ b/arch/x86/um/ptrace_32.c
@@ -84,7 +84,10 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 	case EAX:
 	case EIP:
 	case UESP:
+		break;
 	case ORIG_EAX:
+		/* Update the syscall number. */
+		UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
 		break;
 	case FS:
 		if (value && (value & 3) != 3)
diff --git a/arch/x86/um/ptrace_64.c b/arch/x86/um/ptrace_64.c
index faab418876ce..0b5c184dd5b3 100644
--- a/arch/x86/um/ptrace_64.c
+++ b/arch/x86/um/ptrace_64.c
@@ -78,7 +78,11 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 	case RSI:
 	case RDI:
 	case RBP:
+		break;
+
 	case ORIG_RAX:
+		/* Update the syscall number. */
+		UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
 		break;
 
 	case FS:
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 3/3] seccomp: Remove 2-phase API documentation
  2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
  2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
  2016-07-12  1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module, Andy Lutomirski

Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <jmorris@namei.org>
---
 arch/Kconfig | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638767 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,17 +336,6 @@ config HAVE_ARCH_SECCOMP_FILTER
 	    results in the system call being skipped immediately.
 	  - seccomp syscall wired up
 
-	  For best performance, an arch should use seccomp_phase1 and
-	  seccomp_phase2 directly.  It should call seccomp_phase1 for all
-	  syscalls if TIF_SECCOMP is set, but seccomp_phase1 does not
-	  need to be called from a ptrace-safe context.  It must then
-	  call seccomp_phase2 if seccomp_phase1 returns anything other
-	  than SECCOMP_PHASE1_OK or SECCOMP_PHASE1_SKIP.
-
-	  As an additional optimization, an arch may provide seccomp_data
-	  directly to seccomp_phase1; this avoids multiple calls
-	  to the syscall_xyz helpers for every syscall.
-
 config SECCOMP_FILTER
 	def_bool y
 	depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
  2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
                   ` (2 preceding siblings ...)
  2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
@ 2016-07-12  1:59 ` Kees Cook
  2016-07-28 18:29   ` Kees Cook
  3 siblings, 1 reply; 13+ messages in thread
From: Kees Cook @ 2016-07-12  1:59 UTC (permalink / raw)
  To: Mickaël Salaün, James Morris
  Cc: LKML, Jeff Dike, Richard Weinberger, Olof Johansson,
	user-mode-linux-devel, linux-security-module

On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
> Hi,
>
> This series fix the recent seccomp update for the User-mode Linux architecture
> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
> (close the hole where ptrace can change a syscall out from under seccomp).
>
> Regards,
>
> Mickaël Salaün (3):
>   um/ptrace: Fix the syscall_trace_leave call
>   um/ptrace: Fix the syscall number update after a ptrace
>   seccomp: Remove 2-phase API documentation
>
>  arch/Kconfig                  | 11 -----------
>  arch/um/kernel/skas/syscall.c | 10 +++-------
>  arch/x86/um/ptrace_32.c       |  3 +++
>  arch/x86/um/ptrace_64.c       |  4 ++++
>  4 files changed, 10 insertions(+), 18 deletions(-)

Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
  2016-07-12  1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
@ 2016-07-28 18:29   ` Kees Cook
  2016-08-01  0:54     ` James Morris
  0 siblings, 1 reply; 13+ messages in thread
From: Kees Cook @ 2016-07-28 18:29 UTC (permalink / raw)
  To: Mickaël Salaün, James Morris
  Cc: LKML, Jeff Dike, Richard Weinberger, Olof Johansson,
	user-mode-linux-devel, linux-security-module

On Mon, Jul 11, 2016 at 6:59 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
>> Hi,
>>
>> This series fix the recent seccomp update for the User-mode Linux architecture
>> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
>> (close the hole where ptrace can change a syscall out from under seccomp).
>>
>> Regards,
>>
>> Mickaël Salaün (3):
>>   um/ptrace: Fix the syscall_trace_leave call
>>   um/ptrace: Fix the syscall number update after a ptrace
>>   seccomp: Remove 2-phase API documentation
>>
>>  arch/Kconfig                  | 11 -----------
>>  arch/um/kernel/skas/syscall.c | 10 +++-------
>>  arch/x86/um/ptrace_32.c       |  3 +++
>>  arch/x86/um/ptrace_64.c       |  4 ++++
>>  4 files changed, 10 insertions(+), 18 deletions(-)
>
> Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?
>
> Acked-by: Kees Cook <keescook@chromium.org>

James, can you take these fixes for v4.8? We'll need them for um to
work correctly again. (They appear to still be missing from -next.)

Thanks!

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
  2016-07-28 18:29   ` Kees Cook
@ 2016-08-01  0:54     ` James Morris
  2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
  0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2016-08-01  0:54 UTC (permalink / raw)
  To: Kees Cook
  Cc: Mickaël Salaün, LKML, Jeff Dike, Richard Weinberger,
	Olof Johansson, user-mode-linux-devel, linux-security-module

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

On Thu, 28 Jul 2016, Kees Cook wrote:

> On Mon, Jul 11, 2016 at 6:59 PM, Kees Cook <keescook@chromium.org> wrote:
> > On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
> >> Hi,
> >>
> >> This series fix the recent seccomp update for the User-mode Linux architecture
> >> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
> >> (close the hole where ptrace can change a syscall out from under seccomp).
> >>
> >> Regards,
> >>
> >> Mickaël Salaün (3):
> >>   um/ptrace: Fix the syscall_trace_leave call
> >>   um/ptrace: Fix the syscall number update after a ptrace
> >>   seccomp: Remove 2-phase API documentation
> >>
> >>  arch/Kconfig                  | 11 -----------
> >>  arch/um/kernel/skas/syscall.c | 10 +++-------
> >>  arch/x86/um/ptrace_32.c       |  3 +++
> >>  arch/x86/um/ptrace_64.c       |  4 ++++
> >>  4 files changed, 10 insertions(+), 18 deletions(-)
> >
> > Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?
> >
> > Acked-by: Kees Cook <keescook@chromium.org>
> 
> James, can you take these fixes for v4.8? We'll need them for um to
> work correctly again. (They appear to still be missing from -next.)
> 

I'm pretty sure I don't have these patches, can you or the author send 
them to me?

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v2 0/3] Fix seccomp for UM (next)
  2016-08-01  0:54     ` James Morris
@ 2016-08-01 21:01       ` Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
                           ` (3 more replies)
  0 siblings, 4 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Hi,

This series fix the recent seccomp update for the User-mode Linux architecture
(32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
ptrace") which close the hole where ptrace can change a syscall out from under
seccomp.

Changes since v1:
* fix commit message typo [2/3]
* add Kees Cook's Acked-by
* rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
  parameter handling")

Available in the git repository at:
  https://github.com/l0kod/linux heads/um-fix-seccomp-ptrace-v2

Regards,

Mickaël Salaün (3):
  um/ptrace: Fix the syscall_trace_leave call
  um/ptrace: Fix the syscall number update after a ptrace
  seccomp: Remove 2-phase API documentation

 arch/Kconfig                  | 11 -----------
 arch/um/kernel/skas/syscall.c | 10 +++-------
 arch/x86/um/ptrace_32.c       |  3 +++
 arch/x86/um/ptrace_64.c       |  4 ++++
 4 files changed, 10 insertions(+), 18 deletions(-)

-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call
  2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
@ 2016-08-01 21:01         ` Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
                           ` (2 subsequent siblings)
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Keep the same semantic as before the commit 26703c636c1f: deallocate
audit context and fake a proper syscall exit.

This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN      ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!

Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
 arch/um/kernel/skas/syscall.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index ef4b8f949b51..0728fee94398 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -21,11 +21,11 @@ void handle_syscall(struct uml_pt_regs *r)
 	PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
 
 	if (syscall_trace_enter(regs))
-		return;
+		goto out;
 
 	/* Do the seccomp check after ptrace; failures should be fast. */
 	if (secure_computing(NULL) == -1)
-		return;
+		goto out;
 
 	/* Update the syscall number after orig_ax has potentially been updated
 	 * with ptrace.
@@ -37,5 +37,6 @@ void handle_syscall(struct uml_pt_regs *r)
 		PT_REGS_SET_SYSCALL_RETURN(regs,
 				EXECUTE_SYSCALL(syscall, regs));
 
+out:
 	syscall_trace_leave(regs);
 }
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace
  2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
@ 2016-08-01 21:01         ` Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
  2016-08-09  0:35         ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module

Update the syscall number after each PTRACE_SETREGS on ORIG_*AX.

This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.

This fix four seccomp_bpf tests:
> [ RUN      ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [     FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN      ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [     FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN      ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [     FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN      ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [     FAIL ] TRACE_syscall.kill_after_ptrace

Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
 arch/um/kernel/skas/syscall.c | 5 -----
 arch/x86/um/ptrace_32.c       | 3 +++
 arch/x86/um/ptrace_64.c       | 4 ++++
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 0728fee94398..b783ac87d98a 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -27,12 +27,7 @@ void handle_syscall(struct uml_pt_regs *r)
 	if (secure_computing(NULL) == -1)
 		goto out;
 
-	/* Update the syscall number after orig_ax has potentially been updated
-	 * with ptrace.
-	 */
-	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
 	syscall = UPT_SYSCALL_NR(r);
-
 	if (syscall >= 0 && syscall <= __NR_syscall_max)
 		PT_REGS_SET_SYSCALL_RETURN(regs,
 				EXECUTE_SYSCALL(syscall, regs));
diff --git a/arch/x86/um/ptrace_32.c b/arch/x86/um/ptrace_32.c
index ebd4dd6ef73b..a7ef7b131e25 100644
--- a/arch/x86/um/ptrace_32.c
+++ b/arch/x86/um/ptrace_32.c
@@ -84,7 +84,10 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 	case EAX:
 	case EIP:
 	case UESP:
+		break;
 	case ORIG_EAX:
+		/* Update the syscall number. */
+		UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
 		break;
 	case FS:
 		if (value && (value & 3) != 3)
diff --git a/arch/x86/um/ptrace_64.c b/arch/x86/um/ptrace_64.c
index faab418876ce..0b5c184dd5b3 100644
--- a/arch/x86/um/ptrace_64.c
+++ b/arch/x86/um/ptrace_64.c
@@ -78,7 +78,11 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
 	case RSI:
 	case RDI:
 	case RBP:
+		break;
+
 	case ORIG_RAX:
+		/* Update the syscall number. */
+		UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
 		break;
 
 	case FS:
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v2 3/3] seccomp: Remove 2-phase API documentation
  2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
  2016-08-01 21:01         ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
@ 2016-08-01 21:01         ` Mickaël Salaün
  2016-08-09  0:35         ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
  3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
	Richard Weinberger, James Morris, Olof Johansson,
	user-mode-linux-devel, linux-security-module, Andy Lutomirski

Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <jmorris@namei.org>
---
 arch/Kconfig | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638767 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,17 +336,6 @@ config HAVE_ARCH_SECCOMP_FILTER
 	    results in the system call being skipped immediately.
 	  - seccomp syscall wired up
 
-	  For best performance, an arch should use seccomp_phase1 and
-	  seccomp_phase2 directly.  It should call seccomp_phase1 for all
-	  syscalls if TIF_SECCOMP is set, but seccomp_phase1 does not
-	  need to be called from a ptrace-safe context.  It must then
-	  call seccomp_phase2 if seccomp_phase1 returns anything other
-	  than SECCOMP_PHASE1_OK or SECCOMP_PHASE1_SKIP.
-
-	  As an additional optimization, an arch may provide seccomp_data
-	  directly to seccomp_phase1; this avoids multiple calls
-	  to the syscall_xyz helpers for every syscall.
-
 config SECCOMP_FILTER
 	def_bool y
 	depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
-- 
2.8.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v2 0/3] Fix seccomp for UM (next)
  2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
                           ` (2 preceding siblings ...)
  2016-08-01 21:01         ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
@ 2016-08-09  0:35         ` James Morris
  2016-09-06 20:31           ` [PATCH v2 0/3] Fix seccomp for UM Mickaël Salaün
  3 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2016-08-09  0:35 UTC (permalink / raw)
  To: Mickaël Salaün
  Cc: linux-kernel, Kees Cook, Jeff Dike, Richard Weinberger,
	Olof Johansson, user-mode-linux-devel, linux-security-module

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

On Mon, 1 Aug 2016, Mickaël Salaün wrote:

> Hi,
> 
> This series fix the recent seccomp update for the User-mode Linux architecture
> (32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
> ptrace") which close the hole where ptrace can change a syscall out from under
> seccomp.
> 
> Changes since v1:
> * fix commit message typo [2/3]
> * add Kees Cook's Acked-by
> * rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
>   parameter handling")

All applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next



-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v2 0/3] Fix seccomp for UM
  2016-08-09  0:35         ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
@ 2016-09-06 20:31           ` Mickaël Salaün
  0 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-09-06 20:31 UTC (permalink / raw)
  To: James Morris
  Cc: linux-kernel, Kees Cook, Jeff Dike, Richard Weinberger,
	Olof Johansson, user-mode-linux-devel, linux-security-module,
	Mimi Zohar


[-- Attachment #1.1: Type: text/plain, Size: 985 bytes --]

Hi,

It seems that some of the fixes from linux-security have landed in the
Linus' tree but some seccomp fixes are still missing. They fix bugs
introduced in Linux v4.8 and are still present in v4.8-rc5. Could you
please push this series before the final 4.8 release?

Regards,
 Mickaël

On 09/08/2016 02:35, James Morris wrote:
> On Mon, 1 Aug 2016, Mickaël Salaün wrote:
> 
>> Hi,
>>
>> This series fix the recent seccomp update for the User-mode Linux architecture
>> (32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
>> ptrace") which close the hole where ptrace can change a syscall out from under
>> seccomp.
>>
>> Changes since v1:
>> * fix commit message typo [2/3]
>> * add Kees Cook's Acked-by
>> * rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
>>   parameter handling")
> 
> All applied to
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
> 
> 
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2016-09-06 20:40 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-07-12  1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
2016-07-28 18:29   ` Kees Cook
2016-08-01  0:54     ` James Morris
2016-08-01 21:01       ` [PATCH v2 " Mickaël Salaün
2016-08-01 21:01         ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-08-01 21:01         ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
2016-08-01 21:01         ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-08-09  0:35         ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
2016-09-06 20:31           ` [PATCH v2 0/3] Fix seccomp for UM Mickaël Salaün

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox