From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Jeff Dike" <jdike@addtoit.com>,
"Richard Weinberger" <richard@nod.at>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, "Kees Cook" <keescook@chromium.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Will Drewry" <wad@chromium.org>,
"Shuah Khan" <shuahkh@osg.samsung.com>,
"Chris Metcalf" <cmetcalf@ezchip.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Andrew Morton" <akpm@linux-foundation.org>,
"James Hogan" <james.hogan@imgtec.com>,
"Thomas Meyer" <thomas@m3y3r.de>,
"Nicolas Iooss" <nicolas.iooss_linux@m4x.org>,
"Anton Ivanov" <aivanov@brocade.com>,
user-mode-linux-devel@lists.sourceforge.net,
"Meredydd Luff" <meredydd@senatehouse.org>,
"David Drysdale" <drysdale@google.com>
Subject: [PATCH v3 4/4] um: Add seccomp support
Date: Tue, 29 Dec 2015 21:35:47 +0100 [thread overview]
Message-ID: <1451421347-9468-5-git-send-email-mic@digikod.net> (raw)
In-Reply-To: <1451421347-9468-1-git-send-email-mic@digikod.net>
This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
subarchitectures.
secure_computing() is called first in handle_syscall() so that the
syscall emulation will be aborted quickly if matching a seccomp rule.
This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425).
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
---
.../features/seccomp/seccomp-filter/arch-support.txt | 2 +-
arch/um/Kconfig.common | 1 +
arch/um/Kconfig.um | 16 ++++++++++++++++
arch/um/include/asm/thread_info.h | 2 ++
arch/um/kernel/skas/syscall.c | 5 +++++
5 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/Documentation/features/seccomp/seccomp-filter/arch-support.txt b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
index 76d39d66a5d7..4f66ec133951 100644
--- a/Documentation/features/seccomp/seccomp-filter/arch-support.txt
+++ b/Documentation/features/seccomp/seccomp-filter/arch-support.txt
@@ -33,7 +33,7 @@
| sh: | TODO |
| sparc: | TODO |
| tile: | ok |
- | um: | TODO |
+ | um: | ok |
| unicore32: | TODO |
| x86: | ok |
| xtensa: | TODO |
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index d195a87ca542..cc0013475444 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -2,6 +2,7 @@ config UML
bool
default y
select HAVE_ARCH_AUDITSYSCALL
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_UID16
select HAVE_FUTEX_CMPXCHG if FUTEX
select GENERIC_IRQ_SHOW
diff --git a/arch/um/Kconfig.um b/arch/um/Kconfig.um
index 28a9885e3a37..4b2ed5858b2e 100644
--- a/arch/um/Kconfig.um
+++ b/arch/um/Kconfig.um
@@ -104,3 +104,19 @@ config PGTABLE_LEVELS
int
default 3 if 3_LEVEL_PGTABLES
default 2
+
+config SECCOMP
+ def_bool y
+ prompt "Enable seccomp to safely compute untrusted bytecode"
+ ---help---
+ This kernel feature is useful for number crunching applications
+ that may need to compute untrusted bytecode during their
+ execution. By using pipes or other transports made available to
+ the process as file descriptors supporting the read/write
+ syscalls, it's possible to isolate those applications in
+ their own address space using seccomp. Once seccomp is
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+ and the task is only allowed to execute a few safe syscalls
+ defined by each seccomp mode.
+
+ If unsure, say Y.
diff --git a/arch/um/include/asm/thread_info.h b/arch/um/include/asm/thread_info.h
index 53968aaf76f9..053baff03674 100644
--- a/arch/um/include/asm/thread_info.h
+++ b/arch/um/include/asm/thread_info.h
@@ -62,11 +62,13 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_SYSCALL_AUDIT 6
#define TIF_RESTORE_SIGMASK 7
#define TIF_NOTIFY_RESUME 8
+#define TIF_SECCOMP 9 /* secure computing */
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
#define _TIF_MEMDIE (1 << TIF_MEMDIE)
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SECCOMP (1 << TIF_SECCOMP)
#endif
diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c
index 6cadce761bcf..48b0dcbd87be 100644
--- a/arch/um/kernel/skas/syscall.c
+++ b/arch/um/kernel/skas/syscall.c
@@ -5,6 +5,7 @@
#include <linux/kernel.h>
#include <linux/ptrace.h>
+#include <linux/seccomp.h>
#include <kern_util.h>
#include <sysdep/ptrace.h>
#include <sysdep/ptrace_user.h>
@@ -19,6 +20,10 @@ void handle_syscall(struct uml_pt_regs *r)
UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
+ /* Do the secure computing check first; failures should be fast. */
+ if (secure_computing() == -1)
+ return;
+
if (syscall_trace_enter(regs))
goto out;
--
2.6.4
next prev parent reply other threads:[~2015-12-29 20:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-29 20:35 [PATCH v3 0/4] um: Add seccomp support Mickaël Salaün
2015-12-29 20:35 ` [PATCH v3 1/4] um: Fix ptrace GETREGS/SETREGS bugs Mickaël Salaün
2015-12-29 20:35 ` [PATCH v3 2/4] selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK Mickaël Salaün
2015-12-29 20:35 ` [PATCH v3 3/4] um: Add full asm/syscall.h support Mickaël Salaün
2015-12-29 20:35 ` Mickaël Salaün [this message]
2016-01-04 20:13 ` [PATCH v3 0/4] um: Add seccomp support Kees Cook
2016-01-06 14:15 ` David Drysdale
2016-01-06 14:18 ` Richard Weinberger
2016-01-10 20:18 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1451421347-9468-5-git-send-email-mic@digikod.net \
--to=mic@digikod.net \
--cc=aivanov@brocade.com \
--cc=akpm@linux-foundation.org \
--cc=cmetcalf@ezchip.com \
--cc=drysdale@google.com \
--cc=hpa@zytor.com \
--cc=james.hogan@imgtec.com \
--cc=jdike@addtoit.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=meredydd@senatehouse.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=nicolas.iooss_linux@m4x.org \
--cc=richard@nod.at \
--cc=shuahkh@osg.samsung.com \
--cc=tglx@linutronix.de \
--cc=thomas@m3y3r.de \
--cc=user-mode-linux-devel@lists.sourceforge.net \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).