From: Palmer Dabbelt <palmer@sifive.com>
To: david.abdurachmanov@gmail.com
Cc: linux-riscv@lists.infradead.org, aou@eecs.berkeley.edu,
paul@paul-moore.com, eparis@redhat.com, keescook@chromium.org,
luto@amacapital.net, wad@chromium.org,
Wesley Terpstra <wesley@sifive.com>,
dhowells@redhat.com, tglx@linutronix.de, pombredanne@nexb.com,
Greg KH <gregkh@linuxfoundation.org>,
kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org,
linux-audit@redhat.com
Subject: Re: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Fri, 26 Oct 2018 23:07:11 -0700 (PDT) [thread overview]
Message-ID: <mhng-4bae5431-dfdc-4376-9f7a-6c75b91c1eaa@palmer-mbp2014> (raw)
In-Reply-To: <CAEn-LTovzRncSKCGv8wUTL6FkzcC+Hw1EBGe+Rc4GQyEgcK1uA@mail.gmail.com>
On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>> arch/riscv/Kconfig | 18 ++++++++++++++++++
>> arch/riscv/include/asm/seccomp.h | 10 ++++++++++
>> arch/riscv/include/asm/syscall.h | 6 ++++++
>> arch/riscv/include/asm/thread_info.h | 1 +
>> include/uapi/linux/audit.h | 1 +
>> 5 files changed, 36 insertions(+)
>> create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>> select GENERIC_STRNLEN_USER
>> select GENERIC_SMP_IDLE_THREAD
>> select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> + select HAVE_ARCH_SECCOMP_FILTER
>> select HAVE_MEMBLOCK
>> select HAVE_MEMBLOCK_NODE_MAP
>> select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>> source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> + bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> + help
>> + This kernel feature is useful for number crunching applications
>> + that may need to compute untrusted bytecode during their
>> + execution. By using pipes or other transports made available to
>> + the process as file descriptors supporting the read/write
>> + syscalls, it's possible to isolate those applications in
>> + their own address space using seccomp. Once seccomp is
>> + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> + and the task is only allowed to execute a few safe syscalls
>> + defined by each seccomp mode.
>> +
>> + If unsure, say Y. Only embedded should say N here.
>> +
>> endmenu
>>
>> menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>> source kernel/power/Kconfig
>>
>> endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>> #define _ASM_RISCV_SYSCALL_H
>>
>> #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>> #include <linux/err.h>
>>
>> /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>> memcpy(®s->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>> }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> + return AUDIT_ARCH_RISCV;
>> +}
>> +
>> #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>> #define TIF_RESTORE_SIGMASK 4 /* restore signal mask in do_signal() */
>> #define TIF_MEMDIE 5 /* is terminating due to OOM killer */
>> #define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP 7 /* seccomp syscall filtering active */
>>
>> #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
>> #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>> /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>> #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
>> #define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV (EM_RISCV)
>> #define AUDIT_ARCH_S390 (EM_S390)
>> #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
>> #define AUDIT_ARCH_SH (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [ 0.312000] audit: initializing netlink subsys (disabled)
> [ 0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [ 7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [ 7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.
Works for me. I'll drop my patch set for now.
Thanks!
next prev parent reply other threads:[~2018-10-27 6:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAEn-LTqbEmWovu4t7Rs4C211+GRRU4V3B=+WmW0SOhX_b8db5Q@mail.gmail.com>
2018-10-24 20:40 ` [PATCH 0/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 20:40 ` [PATCH 1/2] Move EM_RISCV into elf-em.h Palmer Dabbelt
2018-10-24 21:26 ` Kees Cook
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 9:10 ` David Abdurachmanov
2018-10-24 20:40 ` [PATCH 2/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 21:42 ` Kees Cook
2018-10-24 22:34 ` Kees Cook
2018-10-25 21:02 ` Andy Lutomirski
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-25 18:31 ` David Abdurachmanov
2018-10-25 20:36 ` Paul Moore
2018-10-28 11:07 ` David Abdurachmanov
2018-10-29 20:27 ` Palmer Dabbelt
2018-11-02 13:32 ` David Abdurachmanov
2018-11-02 15:51 ` Kees Cook
2018-10-27 6:07 ` Palmer Dabbelt [this message]
2018-10-27 7:55 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=mhng-4bae5431-dfdc-4376-9f7a-6c75b91c1eaa@palmer-mbp2014 \
--to=palmer@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=david.abdurachmanov@gmail.com \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luto@amacapital.net \
--cc=paul@paul-moore.com \
--cc=pombredanne@nexb.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=wesley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).