Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
70c70d97
Commit
70c70d97
authored
Aug 26, 2010
by
Nicolas Pitre
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ARM: SECCOMP support
Signed-off-by:
Nicolas Pitre
<
nicolas.pitre@linaro.org
>
parent
087aaffc
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
40 additions
and
2 deletions
+40
-2
arch/arm/Kconfig
arch/arm/Kconfig
+14
-0
arch/arm/include/asm/seccomp.h
arch/arm/include/asm/seccomp.h
+11
-0
arch/arm/include/asm/thread_info.h
arch/arm/include/asm/thread_info.h
+2
-0
arch/arm/kernel/entry-common.S
arch/arm/kernel/entry-common.S
+13
-2
No files found.
arch/arm/Kconfig
View file @
70c70d97
...
@@ -1463,6 +1463,20 @@ config UACCESS_WITH_MEMCPY
...
@@ -1463,6 +1463,20 @@ config UACCESS_WITH_MEMCPY
However, if the CPU data cache is using a write-allocate mode,
However, if the CPU data cache is using a write-allocate mode,
this option is unlikely to provide any performance gain.
this option is unlikely to provide any performance gain.
config SECCOMP
bool
prompt "Enable seccomp to safely compute untrusted bytecode"
---help---
This kernel feature is useful for number crunching applications
that may need to compute untrusted bytecode during their
execution. By using pipes or other transports made available to
the process as file descriptors supporting the read/write
syscalls, it's possible to isolate those applications in
their own address space using seccomp. Once seccomp is
enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
config CC_STACKPROTECTOR
config CC_STACKPROTECTOR
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
help
help
...
...
arch/arm/include/asm/seccomp.h
0 → 100644
View file @
70c70d97
#ifndef _ASM_ARM_SECCOMP_H
#define _ASM_ARM_SECCOMP_H
#include <linux/unistd.h>
#define __NR_seccomp_read __NR_read
#define __NR_seccomp_write __NR_write
#define __NR_seccomp_exit __NR_exit
#define __NR_seccomp_sigreturn __NR_rt_sigreturn
#endif
/* _ASM_ARM_SECCOMP_H */
arch/arm/include/asm/thread_info.h
View file @
70c70d97
...
@@ -144,6 +144,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
...
@@ -144,6 +144,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
#define TIF_MEMDIE 18
/* is terminating due to OOM killer */
#define TIF_MEMDIE 18
/* is terminating due to OOM killer */
#define TIF_FREEZE 19
#define TIF_FREEZE 19
#define TIF_RESTORE_SIGMASK 20
#define TIF_RESTORE_SIGMASK 20
#define TIF_SECCOMP 21
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
...
@@ -153,6 +154,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
...
@@ -153,6 +154,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
#define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
#define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
#define _TIF_FREEZE (1 << TIF_FREEZE)
#define _TIF_FREEZE (1 << TIF_FREEZE)
#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
/*
/*
* Change these and you break ASM code in entry-common.S
* Change these and you break ASM code in entry-common.S
...
...
arch/arm/kernel/entry-common.S
View file @
70c70d97
...
@@ -295,7 +295,6 @@ ENTRY(vector_swi)
...
@@ -295,7 +295,6 @@ ENTRY(vector_swi)
get_thread_info
tsk
get_thread_info
tsk
adr
tbl
,
sys_call_table
@
load
syscall
table
pointer
adr
tbl
,
sys_call_table
@
load
syscall
table
pointer
ldr
ip
,
[
tsk
,
#
TI_FLAGS
]
@
check
for
syscall
tracing
#if defined(CONFIG_OABI_COMPAT)
#if defined(CONFIG_OABI_COMPAT)
/
*
/
*
...
@@ -312,8 +311,20 @@ ENTRY(vector_swi)
...
@@ -312,8 +311,20 @@ ENTRY(vector_swi)
eor
scno
,
scno
,
#
__NR_SYSCALL_BASE
@
check
OS
number
eor
scno
,
scno
,
#
__NR_SYSCALL_BASE
@
check
OS
number
#endif
#endif
ldr
r10
,
[
tsk
,
#
TI_FLAGS
]
@
check
for
syscall
tracing
stmdb
sp
!,
{
r4
,
r5
}
@
push
fifth
and
sixth
args
stmdb
sp
!,
{
r4
,
r5
}
@
push
fifth
and
sixth
args
tst
ip
,
#
_TIF_SYSCALL_TRACE
@
are
we
tracing
syscalls
?
#ifdef CONFIG_SECCOMP
tst
r10
,
#
_TIF_SECCOMP
beq
1
f
mov
r0
,
scno
bl
__secure_computing
add
r0
,
sp
,
#
S_R0
+
S_OFF
@
pointer
to
regs
ldmia
r0
,
{
r0
-
r3
}
@
have
to
reload
r0
-
r3
1
:
#endif
tst
r10
,
#
_TIF_SYSCALL_TRACE
@
are
we
tracing
syscalls
?
bne
__sys_trace
bne
__sys_trace
cmp
scno
,
#
NR_syscalls
@
check
upper
syscall
limit
cmp
scno
,
#
NR_syscalls
@
check
upper
syscall
limit
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment