From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"Andy Lutomirski" <luto@amacapital.net>,
"Oleg Nesterov" <oleg@redhat.com>,
"Kees Cook" <keescook@chromium.org>
Subject: [PATCH 3.16 57/63] seccomp: add "seccomp" syscall
Date: Sat, 22 Sep 2018 01:15:42 +0100 [thread overview]
Message-ID: <lsq.1537575342.25773851@decadent.org.uk> (raw)
In-Reply-To: <lsq.1537575341.194909669@decadent.org.uk>
3.16.58-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 48dc92b9fc3926844257316e75ba11eb5c742b2c upstream.
This adds the new "seccomp" syscall with both an "operation" and "flags"
parameter for future expansion. The third argument is a pointer value,
used with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must
be 0. This is functionally equivalent to prctl(PR_SET_SECCOMP, ...).
In addition to the TSYNC flag later in this patch series, there is a
non-zero chance that this syscall could be used for configuring a fixed
argument area for seccomp-tracer-aware processes to pass syscall arguments
in the future. Hence, the use of "seccomp" not simply "seccomp_add_filter"
for this syscall. Additionally, this syscall uses operation, flags,
and user pointer for arguments because strictly passing arguments via
a user pointer would mean seccomp itself would be unable to trivially
filter the seccomp syscall itself.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/Kconfig | 1 +
arch/x86/syscalls/syscall_32.tbl | 1 +
arch/x86/syscalls/syscall_64.tbl | 1 +
include/linux/syscalls.h | 2 ++
include/uapi/asm-generic/unistd.h | 4 ++-
include/uapi/linux/seccomp.h | 4 +++
kernel/seccomp.c | 55 ++++++++++++++++++++++++++++---
kernel/sys_ni.c | 3 ++
8 files changed, 65 insertions(+), 6 deletions(-)
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -321,6 +321,7 @@ config HAVE_ARCH_SECCOMP_FILTER
- secure_computing is called from a ptrace_event()-safe context
- secure_computing return value is checked and a return value of -1
results in the system call being skipped immediately.
+ - seccomp syscall wired up
config SECCOMP_FILTER
def_bool y
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -360,3 +360,4 @@
351 i386 sched_setattr sys_sched_setattr
352 i386 sched_getattr sys_sched_getattr
353 i386 renameat2 sys_renameat2
+354 i386 seccomp sys_seccomp
--- a/arch/x86/syscalls/syscall_64.tbl
+++ b/arch/x86/syscalls/syscall_64.tbl
@@ -323,6 +323,7 @@
314 common sched_setattr sys_sched_setattr
315 common sched_getattr sys_sched_getattr
316 common renameat2 sys_renameat2
+317 common seccomp sys_seccomp
#
# x32-specific system call numbers start at 512 to avoid cache impact
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -866,4 +866,6 @@ asmlinkage long sys_process_vm_writev(pi
asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type,
unsigned long idx1, unsigned long idx2);
asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
+asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
+ const char __user *uargs);
#endif
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -699,9 +699,11 @@ __SYSCALL(__NR_sched_setattr, sys_sched_
__SYSCALL(__NR_sched_getattr, sys_sched_getattr)
#define __NR_renameat2 276
__SYSCALL(__NR_renameat2, sys_renameat2)
+#define __NR_seccomp 277
+__SYSCALL(__NR_seccomp, sys_seccomp)
#undef __NR_syscalls
-#define __NR_syscalls 277
+#define __NR_syscalls 278
/*
* All syscalls below here should go away really,
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -10,6 +10,10 @@
#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
+/* Valid operations for seccomp syscall. */
+#define SECCOMP_SET_MODE_STRICT 0
+#define SECCOMP_SET_MODE_FILTER 1
+
/*
* All BPF programs must return a 32-bit value.
* The bottom 16-bits are for optional return data.
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -18,6 +18,7 @@
#include <linux/compat.h>
#include <linux/sched.h>
#include <linux/seccomp.h>
+#include <linux/syscalls.h>
/* #define SECCOMP_DEBUG 1 */
@@ -314,7 +315,7 @@ free_prog:
*
* Returns 0 on success and non-zero otherwise.
*/
-static long seccomp_attach_user_filter(char __user *user_filter)
+static long seccomp_attach_user_filter(const char __user *user_filter)
{
struct sock_fprog fprog;
long ret = -EFAULT;
@@ -517,6 +518,7 @@ out:
#ifdef CONFIG_SECCOMP_FILTER
/**
* seccomp_set_mode_filter: internal function for setting seccomp filter
+ * @flags: flags to change filter behavior
* @filter: struct sock_fprog containing filter
*
* This function may be called repeatedly to install additional filters.
@@ -527,11 +529,16 @@ out:
*
* Returns 0 on success or -EINVAL on failure.
*/
-static long seccomp_set_mode_filter(char __user *filter)
+static long seccomp_set_mode_filter(unsigned int flags,
+ const char __user *filter)
{
const unsigned long seccomp_mode = SECCOMP_MODE_FILTER;
long ret = -EINVAL;
+ /* Validate flags. */
+ if (flags != 0)
+ goto out;
+
if (!seccomp_may_assign_mode(seccomp_mode))
goto out;
@@ -544,12 +551,35 @@ out:
return ret;
}
#else
-static inline long seccomp_set_mode_filter(char __user *filter)
+static inline long seccomp_set_mode_filter(unsigned int flags,
+ const char __user *filter)
{
return -EINVAL;
}
#endif
+/* Common entry point for both prctl and syscall. */
+static long do_seccomp(unsigned int op, unsigned int flags,
+ const char __user *uargs)
+{
+ switch (op) {
+ case SECCOMP_SET_MODE_STRICT:
+ if (flags != 0 || uargs != NULL)
+ return -EINVAL;
+ return seccomp_set_mode_strict();
+ case SECCOMP_SET_MODE_FILTER:
+ return seccomp_set_mode_filter(flags, uargs);
+ default:
+ return -EINVAL;
+ }
+}
+
+SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags,
+ const char __user *, uargs)
+{
+ return do_seccomp(op, flags, uargs);
+}
+
/**
* prctl_set_seccomp: configures current->seccomp.mode
* @seccomp_mode: requested mode to use
@@ -559,12 +589,27 @@ static inline long seccomp_set_mode_filt
*/
long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
{
+ unsigned int op;
+ char __user *uargs;
+
switch (seccomp_mode) {
case SECCOMP_MODE_STRICT:
- return seccomp_set_mode_strict();
+ op = SECCOMP_SET_MODE_STRICT;
+ /*
+ * Setting strict mode through prctl always ignored filter,
+ * so make sure it is always NULL here to pass the internal
+ * check in do_seccomp().
+ */
+ uargs = NULL;
+ break;
case SECCOMP_MODE_FILTER:
- return seccomp_set_mode_filter(filter);
+ op = SECCOMP_SET_MODE_FILTER;
+ uargs = filter;
+ break;
default:
return -EINVAL;
}
+
+ /* prctl interface doesn't have flags, so they are always zero. */
+ return do_seccomp(op, 0, uargs);
}
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -213,3 +213,6 @@ cond_syscall(compat_sys_open_by_handle_a
/* compare kernel pointers */
cond_syscall(sys_kcmp);
+
+/* operate on Secure Computing state */
+cond_syscall(sys_seccomp);
next prev parent reply other threads:[~2018-09-22 0:25 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-22 0:15 [PATCH 3.16 00/63] 3.16.58-rc1 review Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 51/63] xfs: catch inode allocation state mismatch corruption Ben Hutchings
2018-09-22 5:25 ` Dave Chinner
2018-09-22 20:57 ` Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 07/63] usbip: usbip_host: refine probe and disconnect debug msgs to be useful Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 41/63] USB: yurex: fix out-of-bounds uaccess in read handler Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 54/63] seccomp: create internal mode-setting function Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 45/63] x86/paravirt: Fix spectre-v2 mitigations for paravirt guests Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 36/63] jbd2: don't mark block as modified if the handle is out of credits Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 18/63] sr: pass down correctly sized SCSI sense buffer Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 06/63] usbip: usbip_host: fix to hold parent lock for device_attach() calls Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 29/63] ext4: make sure bitmaps and the inode table don't overlap with bg descriptors Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 63/63] mm: get rid of vmacache_flush_all() entirely Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 26/63] ext4: verify the depth of extent tree in ext4_find_extent() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 38/63] Fix up non-directory creation in SGID directories Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 56/63] seccomp: split mode setting routines Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 13/63] futex: Remove unnecessary warning from get_futex_key Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 21/63] Bluetooth: hidp: buffer overflow in hidp_process_report Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 32/63] ext4: always verify the magic number in xattr blocks Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 23/63] xfs: set format back to extents if xfs_bmap_extents_to_btree Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 08/63] usbip: usbip_host: delete device from busid_table after rebind Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 60/63] x86/cpu/AMD: Fix erratum 1076 (CPB bit) Ben Hutchings
2018-09-22 0:15 ` Ben Hutchings [this message]
2018-09-22 0:15 ` [PATCH 3.16 20/63] scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Ben Hutchings
2018-09-22 0:19 ` syzbot
2018-09-22 0:15 ` [PATCH 3.16 04/63] net: Set sk_prot_creator when cloning sockets to the right proto Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 33/63] ext4: never move the system.data xattr out of the inode body Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 55/63] seccomp: extract check/assign mode helpers Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 16/63] KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 35/63] ext4: add more inode number paranoia checks Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 42/63] ALSA: rawmidi: Change resized buffers atomically Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 27/63] ext4: always check block group bounds in ext4_init_block_bitmap() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 25/63] ext4: fix check to prevent initializing reserved inodes Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 14/63] KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 15/63] KVM: x86: introduce linear_{read,write}_system Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 61/63] x86/cpu/intel: Add Knights Mill to Intel family Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 40/63] infiniband: fix a possible use-after-free bug Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 09/63] usbip: usbip_host: run rebind from exit when module is removed Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 11/63] usbip: usbip_host: fix bad unlock balance during stub_probe() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 12/63] futex: Remove requirement for lock_page() in get_futex_key() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 30/63] ext4: fix false negatives *and* false positives in ext4_check_descriptors() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 37/63] ext4: avoid running out of journal credits when appending to an inline file Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 47/63] uas: replace WARN_ON_ONCE() with lockdep_assert_held() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 44/63] x86/speculation: Protect against userspace-userspace spectreRSB Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 49/63] btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 24/63] ext4: only look at the bg_flags field if it is valid Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 53/63] xfs: don't call xfs_da_shrink_inode with NULL bp Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 17/63] kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 43/63] x86/speculation: Clean up various Spectre related details Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 52/63] xfs: validate cached inodes are free when allocated Ben Hutchings
2018-09-22 5:26 ` Dave Chinner
2018-09-22 20:57 ` Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 48/63] video: uvesafb: Fix integer overflow in allocation Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 19/63] jfs: Fix inconsistency between memory allocation and ea_buf->max_size Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 22/63] scsi: libsas: defer ata device eh commands to libata Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 05/63] usbip: fix error handling in stub_probe() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 10/63] usbip: usbip_host: fix NULL-ptr deref and use-after-free errors Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 46/63] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 28/63] ext4: don't allow r/w mounts if metadata blocks overlap the superblock Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 03/63] Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 34/63] ext4: clear i_data in ext4_inode_info when removing inline data Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 01/63] x86/fpu: Fix the 'nofxsr' boot parameter to also clear X86_FEATURE_FXSR_OPT Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 02/63] x86/fpu: Default eagerfpu if FPU and FXSR are enabled Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 58/63] x86/process: Optimize TIF checks in __switch_to_xtra() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 31/63] ext4: add corruption check in ext4_xattr_set_entry() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 39/63] x86/entry/64: Remove %ebx handling from error_entry/exit Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 59/63] x86/process: Correct and optimize TIF_BLOCKSTEP switch Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 50/63] hfsplus: fix NULL dereference in hfsplus_lookup() Ben Hutchings
2018-09-22 0:15 ` [PATCH 3.16 62/63] KVM: x86: introduce num_emulated_msrs Ben Hutchings
2018-09-22 12:28 ` [PATCH 3.16 00/63] 3.16.58-rc1 review Guenter Roeck
2018-09-22 21:03 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1537575342.25773851@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).