* [PATCH v1 0/3] Fix seccomp for UM (next)
@ 2016-07-11 21:56 Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:56 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Hi,
This series fix the recent seccomp update for the User-mode Linux architecture
(32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
(close the hole where ptrace can change a syscall out from under seccomp).
Regards,
Mickaël Salaün (3):
um/ptrace: Fix the syscall_trace_leave call
um/ptrace: Fix the syscall number update after a ptrace
seccomp: Remove 2-phase API documentation
arch/Kconfig | 11 -----------
arch/um/kernel/skas/syscall.c | 10 +++-------
arch/x86/um/ptrace_32.c | 3 +++
arch/x86/um/ptrace_64.c | 4 ++++
4 files changed, 10 insertions(+), 18 deletions(-)
--
2.8.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Keep the same semantic as before the commit 26703c636c1f: deallocate
audit context and fake a proper syscall exit.
This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index ef4b8f949b51..0728fee94398 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -21,11 +21,11 @@ void handle_syscall(struct uml_pt_regs *r)
PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
if (syscall_trace_enter(regs))
- return;
+ goto out;
/* Do the seccomp check after ptrace; failures should be fast. */
if (secure_computing(NULL) == -1)
- return;
+ goto out;
/* Update the syscall number after orig_ax has potentially been updated
* with ptrace.
@@ -37,5 +37,6 @@ void handle_syscall(struct uml_pt_regs *r)
PT_REGS_SET_SYSCALL_RETURN(regs,
EXECUTE_SYSCALL(syscall, regs));
+out:
syscall_trace_leave(regs);
}
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-07-12 1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Update the syscall number after earch PTRACE_SETREGS on ORIG_*AX.
This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.
This fix four seccomp_bpf tests:
> [ RUN ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 -----
arch/x86/um/ptrace_32.c | 3 +++
arch/x86/um/ptrace_64.c | 4 ++++
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 0728fee94398..b783ac87d98a 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -27,12 +27,7 @@ void handle_syscall(struct uml_pt_regs *r)
if (secure_computing(NULL) == -1)
goto out;
- /* Update the syscall number after orig_ax has potentially been updated
- * with ptrace.
- */
- UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
syscall = UPT_SYSCALL_NR(r);
-
if (syscall >= 0 && syscall <= __NR_syscall_max)
PT_REGS_SET_SYSCALL_RETURN(regs,
EXECUTE_SYSCALL(syscall, regs));
diff --git a/arch/x86/um/ptrace_32.c b/arch/x86/um/ptrace_32.c
index ebd4dd6ef73b..a7ef7b131e25 100644
--- a/arch/x86/um/ptrace_32.c
+++ b/arch/x86/um/ptrace_32.c
@@ -84,7 +84,10 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
case EAX:
case EIP:
case UESP:
+ break;
case ORIG_EAX:
+ /* Update the syscall number. */
+ UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
break;
case FS:
if (value && (value & 3) != 3)
diff --git a/arch/x86/um/ptrace_64.c b/arch/x86/um/ptrace_64.c
index faab418876ce..0b5c184dd5b3 100644
--- a/arch/x86/um/ptrace_64.c
+++ b/arch/x86/um/ptrace_64.c
@@ -78,7 +78,11 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
case RSI:
case RDI:
case RBP:
+ break;
+
case ORIG_RAX:
+ /* Update the syscall number. */
+ UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
break;
case FS:
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v1 3/3] seccomp: Remove 2-phase API documentation
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
@ 2016-07-11 21:57 ` Mickaël Salaün
2016-07-12 1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-07-11 21:57 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module, Andy Lutomirski
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <jmorris@namei.org>
---
arch/Kconfig | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638767 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,17 +336,6 @@ config HAVE_ARCH_SECCOMP_FILTER
results in the system call being skipped immediately.
- seccomp syscall wired up
- For best performance, an arch should use seccomp_phase1 and
- seccomp_phase2 directly. It should call seccomp_phase1 for all
- syscalls if TIF_SECCOMP is set, but seccomp_phase1 does not
- need to be called from a ptrace-safe context. It must then
- call seccomp_phase2 if seccomp_phase1 returns anything other
- than SECCOMP_PHASE1_OK or SECCOMP_PHASE1_SKIP.
-
- As an additional optimization, an arch may provide seccomp_data
- directly to seccomp_phase1; this avoids multiple calls
- to the syscall_xyz helpers for every syscall.
-
config SECCOMP_FILTER
def_bool y
depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
` (2 preceding siblings ...)
2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
@ 2016-07-12 1:59 ` Kees Cook
2016-07-28 18:29 ` Kees Cook
3 siblings, 1 reply; 13+ messages in thread
From: Kees Cook @ 2016-07-12 1:59 UTC (permalink / raw)
To: Mickaël Salaün, James Morris
Cc: LKML, Jeff Dike, Richard Weinberger, Olof Johansson,
user-mode-linux-devel, linux-security-module
On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
> Hi,
>
> This series fix the recent seccomp update for the User-mode Linux architecture
> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
> (close the hole where ptrace can change a syscall out from under seccomp).
>
> Regards,
>
> Mickaël Salaün (3):
> um/ptrace: Fix the syscall_trace_leave call
> um/ptrace: Fix the syscall number update after a ptrace
> seccomp: Remove 2-phase API documentation
>
> arch/Kconfig | 11 -----------
> arch/um/kernel/skas/syscall.c | 10 +++-------
> arch/x86/um/ptrace_32.c | 3 +++
> arch/x86/um/ptrace_64.c | 4 ++++
> 4 files changed, 10 insertions(+), 18 deletions(-)
Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?
Acked-by: Kees Cook <keescook@chromium.org>
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
2016-07-12 1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
@ 2016-07-28 18:29 ` Kees Cook
2016-08-01 0:54 ` James Morris
0 siblings, 1 reply; 13+ messages in thread
From: Kees Cook @ 2016-07-28 18:29 UTC (permalink / raw)
To: Mickaël Salaün, James Morris
Cc: LKML, Jeff Dike, Richard Weinberger, Olof Johansson,
user-mode-linux-devel, linux-security-module
On Mon, Jul 11, 2016 at 6:59 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
>> Hi,
>>
>> This series fix the recent seccomp update for the User-mode Linux architecture
>> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
>> (close the hole where ptrace can change a syscall out from under seccomp).
>>
>> Regards,
>>
>> Mickaël Salaün (3):
>> um/ptrace: Fix the syscall_trace_leave call
>> um/ptrace: Fix the syscall number update after a ptrace
>> seccomp: Remove 2-phase API documentation
>>
>> arch/Kconfig | 11 -----------
>> arch/um/kernel/skas/syscall.c | 10 +++-------
>> arch/x86/um/ptrace_32.c | 3 +++
>> arch/x86/um/ptrace_64.c | 4 ++++
>> 4 files changed, 10 insertions(+), 18 deletions(-)
>
> Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?
>
> Acked-by: Kees Cook <keescook@chromium.org>
James, can you take these fixes for v4.8? We'll need them for um to
work correctly again. (They appear to still be missing from -next.)
Thanks!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v1 0/3] Fix seccomp for UM (next)
2016-07-28 18:29 ` Kees Cook
@ 2016-08-01 0:54 ` James Morris
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
0 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2016-08-01 0:54 UTC (permalink / raw)
To: Kees Cook
Cc: Mickaël Salaün, LKML, Jeff Dike, Richard Weinberger,
Olof Johansson, user-mode-linux-devel, linux-security-module
[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]
On Thu, 28 Jul 2016, Kees Cook wrote:
> On Mon, Jul 11, 2016 at 6:59 PM, Kees Cook <keescook@chromium.org> wrote:
> > On Mon, Jul 11, 2016 at 5:56 PM, Mickaël Salaün <mic@digikod.net> wrote:
> >> Hi,
> >>
> >> This series fix the recent seccomp update for the User-mode Linux architecture
> >> (32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
> >> (close the hole where ptrace can change a syscall out from under seccomp).
> >>
> >> Regards,
> >>
> >> Mickaël Salaün (3):
> >> um/ptrace: Fix the syscall_trace_leave call
> >> um/ptrace: Fix the syscall number update after a ptrace
> >> seccomp: Remove 2-phase API documentation
> >>
> >> arch/Kconfig | 11 -----------
> >> arch/um/kernel/skas/syscall.c | 10 +++-------
> >> arch/x86/um/ptrace_32.c | 3 +++
> >> arch/x86/um/ptrace_64.c | 4 ++++
> >> 4 files changed, 10 insertions(+), 18 deletions(-)
> >
> > Ah, perfect! Thanks for fixing this! James, can you pick this up for -next?
> >
> > Acked-by: Kees Cook <keescook@chromium.org>
>
> James, can you take these fixes for v4.8? We'll need them for um to
> work correctly again. (They appear to still be missing from -next.)
>
I'm pretty sure I don't have these patches, can you or the author send
them to me?
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v2 0/3] Fix seccomp for UM (next)
2016-08-01 0:54 ` James Morris
@ 2016-08-01 21:01 ` Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Hi,
This series fix the recent seccomp update for the User-mode Linux architecture
(32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
ptrace") which close the hole where ptrace can change a syscall out from under
seccomp.
Changes since v1:
* fix commit message typo [2/3]
* add Kees Cook's Acked-by
* rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
parameter handling")
Available in the git repository at:
https://github.com/l0kod/linux heads/um-fix-seccomp-ptrace-v2
Regards,
Mickaël Salaün (3):
um/ptrace: Fix the syscall_trace_leave call
um/ptrace: Fix the syscall number update after a ptrace
seccomp: Remove 2-phase API documentation
arch/Kconfig | 11 -----------
arch/um/kernel/skas/syscall.c | 10 +++-------
arch/x86/um/ptrace_32.c | 3 +++
arch/x86/um/ptrace_64.c | 4 ++++
4 files changed, 10 insertions(+), 18 deletions(-)
--
2.8.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
@ 2016-08-01 21:01 ` Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Keep the same semantic as before the commit 26703c636c1f: deallocate
audit context and fake a proper syscall exit.
This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index ef4b8f949b51..0728fee94398 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -21,11 +21,11 @@ void handle_syscall(struct uml_pt_regs *r)
PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
if (syscall_trace_enter(regs))
- return;
+ goto out;
/* Do the seccomp check after ptrace; failures should be fast. */
if (secure_computing(NULL) == -1)
- return;
+ goto out;
/* Update the syscall number after orig_ax has potentially been updated
* with ptrace.
@@ -37,5 +37,6 @@ void handle_syscall(struct uml_pt_regs *r)
PT_REGS_SET_SYSCALL_RETURN(regs,
EXECUTE_SYSCALL(syscall, regs));
+out:
syscall_trace_leave(regs);
}
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
@ 2016-08-01 21:01 ` Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-08-09 0:35 ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module
Update the syscall number after each PTRACE_SETREGS on ORIG_*AX.
This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.
This fix four seccomp_bpf tests:
> [ RUN ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 -----
arch/x86/um/ptrace_32.c | 3 +++
arch/x86/um/ptrace_64.c | 4 ++++
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 0728fee94398..b783ac87d98a 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -27,12 +27,7 @@ void handle_syscall(struct uml_pt_regs *r)
if (secure_computing(NULL) == -1)
goto out;
- /* Update the syscall number after orig_ax has potentially been updated
- * with ptrace.
- */
- UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
syscall = UPT_SYSCALL_NR(r);
-
if (syscall >= 0 && syscall <= __NR_syscall_max)
PT_REGS_SET_SYSCALL_RETURN(regs,
EXECUTE_SYSCALL(syscall, regs));
diff --git a/arch/x86/um/ptrace_32.c b/arch/x86/um/ptrace_32.c
index ebd4dd6ef73b..a7ef7b131e25 100644
--- a/arch/x86/um/ptrace_32.c
+++ b/arch/x86/um/ptrace_32.c
@@ -84,7 +84,10 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
case EAX:
case EIP:
case UESP:
+ break;
case ORIG_EAX:
+ /* Update the syscall number. */
+ UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
break;
case FS:
if (value && (value & 3) != 3)
diff --git a/arch/x86/um/ptrace_64.c b/arch/x86/um/ptrace_64.c
index faab418876ce..0b5c184dd5b3 100644
--- a/arch/x86/um/ptrace_64.c
+++ b/arch/x86/um/ptrace_64.c
@@ -78,7 +78,11 @@ int putreg(struct task_struct *child, int regno, unsigned long value)
case RSI:
case RDI:
case RBP:
+ break;
+
case ORIG_RAX:
+ /* Update the syscall number. */
+ UPT_SYSCALL_NR(&child->thread.regs.regs) = value;
break;
case FS:
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v2 3/3] seccomp: Remove 2-phase API documentation
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
@ 2016-08-01 21:01 ` Mickaël Salaün
2016-08-09 0:35 ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
3 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-08-01 21:01 UTC (permalink / raw)
To: linux-kernel
Cc: Mickaël Salaün, Kees Cook, Jeff Dike,
Richard Weinberger, James Morris, Olof Johansson,
user-mode-linux-devel, linux-security-module, Andy Lutomirski
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <jmorris@namei.org>
---
arch/Kconfig | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638767 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,17 +336,6 @@ config HAVE_ARCH_SECCOMP_FILTER
results in the system call being skipped immediately.
- seccomp syscall wired up
- For best performance, an arch should use seccomp_phase1 and
- seccomp_phase2 directly. It should call seccomp_phase1 for all
- syscalls if TIF_SECCOMP is set, but seccomp_phase1 does not
- need to be called from a ptrace-safe context. It must then
- call seccomp_phase2 if seccomp_phase1 returns anything other
- than SECCOMP_PHASE1_OK or SECCOMP_PHASE1_SKIP.
-
- As an additional optimization, an arch may provide seccomp_data
- directly to seccomp_phase1; this avoids multiple calls
- to the syscall_xyz helpers for every syscall.
-
config SECCOMP_FILTER
def_bool y
depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
--
2.8.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v2 0/3] Fix seccomp for UM (next)
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
` (2 preceding siblings ...)
2016-08-01 21:01 ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
@ 2016-08-09 0:35 ` James Morris
2016-09-06 20:31 ` [PATCH v2 0/3] Fix seccomp for UM Mickaël Salaün
3 siblings, 1 reply; 13+ messages in thread
From: James Morris @ 2016-08-09 0:35 UTC (permalink / raw)
To: Mickaël Salaün
Cc: linux-kernel, Kees Cook, Jeff Dike, Richard Weinberger,
Olof Johansson, user-mode-linux-devel, linux-security-module
[-- Attachment #1: Type: text/plain, Size: 633 bytes --]
On Mon, 1 Aug 2016, Mickaël Salaün wrote:
> Hi,
>
> This series fix the recent seccomp update for the User-mode Linux architecture
> (32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
> ptrace") which close the hole where ptrace can change a syscall out from under
> seccomp.
>
> Changes since v1:
> * fix commit message typo [2/3]
> * add Kees Cook's Acked-by
> * rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
> parameter handling")
All applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v2 0/3] Fix seccomp for UM
2016-08-09 0:35 ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
@ 2016-09-06 20:31 ` Mickaël Salaün
0 siblings, 0 replies; 13+ messages in thread
From: Mickaël Salaün @ 2016-09-06 20:31 UTC (permalink / raw)
To: James Morris
Cc: linux-kernel, Kees Cook, Jeff Dike, Richard Weinberger,
Olof Johansson, user-mode-linux-devel, linux-security-module,
Mimi Zohar
[-- Attachment #1.1: Type: text/plain, Size: 985 bytes --]
Hi,
It seems that some of the fixes from linux-security have landed in the
Linus' tree but some seccomp fixes are still missing. They fix bugs
introduced in Linux v4.8 and are still present in v4.8-rc5. Could you
please push this series before the final 4.8 release?
Regards,
Mickaël
On 09/08/2016 02:35, James Morris wrote:
> On Mon, 1 Aug 2016, Mickaël Salaün wrote:
>
>> Hi,
>>
>> This series fix the recent seccomp update for the User-mode Linux architecture
>> (32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
>> ptrace") which close the hole where ptrace can change a syscall out from under
>> seccomp.
>>
>> Changes since v1:
>> * fix commit message typo [2/3]
>> * add Kees Cook's Acked-by
>> * rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
>> parameter handling")
>
> All applied to
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
>
>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2016-09-06 20:40 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-11 21:56 [PATCH v1 0/3] Fix seccomp for UM (next) Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
2016-07-11 21:57 ` [PATCH v1 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-07-12 1:59 ` [PATCH v1 0/3] Fix seccomp for UM (next) Kees Cook
2016-07-28 18:29 ` Kees Cook
2016-08-01 0:54 ` James Morris
2016-08-01 21:01 ` [PATCH v2 " Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 1/3] um/ptrace: Fix the syscall_trace_leave call Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 2/3] um/ptrace: Fix the syscall number update after a ptrace Mickaël Salaün
2016-08-01 21:01 ` [PATCH v2 3/3] seccomp: Remove 2-phase API documentation Mickaël Salaün
2016-08-09 0:35 ` [PATCH v2 0/3] Fix seccomp for UM (next) James Morris
2016-09-06 20:31 ` [PATCH v2 0/3] Fix seccomp for UM Mickaël Salaün
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).