Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
fe6c59dc
Commit
fe6c59dc
authored
Jul 20, 2015
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge tag 'seccomp-next' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
into next
parents
52721d9d
221272f9
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
31 additions
and
8 deletions
+31
-8
include/linux/ptrace.h
include/linux/ptrace.h
+1
-0
include/linux/seccomp.h
include/linux/seccomp.h
+1
-1
include/uapi/linux/ptrace.h
include/uapi/linux/ptrace.h
+4
-2
kernel/ptrace.c
kernel/ptrace.c
+13
-0
kernel/seccomp.c
kernel/seccomp.c
+12
-5
No files found.
include/linux/ptrace.h
View file @
fe6c59dc
...
@@ -34,6 +34,7 @@
...
@@ -34,6 +34,7 @@
#define PT_TRACE_SECCOMP PT_EVENT_FLAG(PTRACE_EVENT_SECCOMP)
#define PT_TRACE_SECCOMP PT_EVENT_FLAG(PTRACE_EVENT_SECCOMP)
#define PT_EXITKILL (PTRACE_O_EXITKILL << PT_OPT_FLAG_SHIFT)
#define PT_EXITKILL (PTRACE_O_EXITKILL << PT_OPT_FLAG_SHIFT)
#define PT_SUSPEND_SECCOMP (PTRACE_O_SUSPEND_SECCOMP << PT_OPT_FLAG_SHIFT)
/* single stepping state bits (used on ARM and PA-RISC) */
/* single stepping state bits (used on ARM and PA-RISC) */
#define PT_SINGLESTEP_BIT 31
#define PT_SINGLESTEP_BIT 31
...
...
include/linux/seccomp.h
View file @
fe6c59dc
...
@@ -78,7 +78,7 @@ static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
...
@@ -78,7 +78,7 @@ static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
static
inline
int
seccomp_mode
(
struct
seccomp
*
s
)
static
inline
int
seccomp_mode
(
struct
seccomp
*
s
)
{
{
return
0
;
return
SECCOMP_MODE_DISABLED
;
}
}
#endif
/* CONFIG_SECCOMP */
#endif
/* CONFIG_SECCOMP */
...
...
include/uapi/linux/ptrace.h
View file @
fe6c59dc
...
@@ -90,8 +90,10 @@ struct ptrace_peeksiginfo_args {
...
@@ -90,8 +90,10 @@ struct ptrace_peeksiginfo_args {
/* eventless options */
/* eventless options */
#define PTRACE_O_EXITKILL (1 << 20)
#define PTRACE_O_EXITKILL (1 << 20)
#define PTRACE_O_SUSPEND_SECCOMP (1 << 21)
#define PTRACE_O_MASK (0x000000ff | PTRACE_O_EXITKILL)
#define PTRACE_O_MASK (\
0x000000ff | PTRACE_O_EXITKILL | PTRACE_O_SUSPEND_SECCOMP)
#include <asm/ptrace.h>
#include <asm/ptrace.h>
...
...
kernel/ptrace.c
View file @
fe6c59dc
...
@@ -556,6 +556,19 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
...
@@ -556,6 +556,19 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
if
(
data
&
~
(
unsigned
long
)
PTRACE_O_MASK
)
if
(
data
&
~
(
unsigned
long
)
PTRACE_O_MASK
)
return
-
EINVAL
;
return
-
EINVAL
;
if
(
unlikely
(
data
&
PTRACE_O_SUSPEND_SECCOMP
))
{
if
(
!
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
||
!
config_enabled
(
CONFIG_SECCOMP
))
return
-
EINVAL
;
if
(
!
capable
(
CAP_SYS_ADMIN
))
return
-
EPERM
;
if
(
seccomp_mode
(
&
current
->
seccomp
)
!=
SECCOMP_MODE_DISABLED
||
current
->
ptrace
&
PT_SUSPEND_SECCOMP
)
return
-
EPERM
;
}
/* Avoid intermediate state when all opts are cleared */
/* Avoid intermediate state when all opts are cleared */
flags
=
child
->
ptrace
;
flags
=
child
->
ptrace
;
flags
&=
~
(
PTRACE_O_MASK
<<
PT_OPT_FLAG_SHIFT
);
flags
&=
~
(
PTRACE_O_MASK
<<
PT_OPT_FLAG_SHIFT
);
...
...
kernel/seccomp.c
View file @
fe6c59dc
...
@@ -175,17 +175,16 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
...
@@ -175,17 +175,16 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
*/
*/
static
u32
seccomp_run_filters
(
struct
seccomp_data
*
sd
)
static
u32
seccomp_run_filters
(
struct
seccomp_data
*
sd
)
{
{
struct
seccomp_filter
*
f
=
ACCESS_ONCE
(
current
->
seccomp
.
filter
);
struct
seccomp_data
sd_local
;
struct
seccomp_data
sd_local
;
u32
ret
=
SECCOMP_RET_ALLOW
;
u32
ret
=
SECCOMP_RET_ALLOW
;
/* Make sure cross-thread synced filter points somewhere sane. */
struct
seccomp_filter
*
f
=
lockless_dereference
(
current
->
seccomp
.
filter
);
/* Ensure unexpected behavior doesn't result in failing open. */
/* Ensure unexpected behavior doesn't result in failing open. */
if
(
unlikely
(
WARN_ON
(
f
==
NULL
)))
if
(
unlikely
(
WARN_ON
(
f
==
NULL
)))
return
SECCOMP_RET_KILL
;
return
SECCOMP_RET_KILL
;
/* Make sure cross-thread synced filter points somewhere sane. */
smp_read_barrier_depends
();
if
(
!
sd
)
{
if
(
!
sd
)
{
populate_seccomp_data
(
&
sd_local
);
populate_seccomp_data
(
&
sd_local
);
sd
=
&
sd_local
;
sd
=
&
sd_local
;
...
@@ -549,7 +548,11 @@ void secure_computing_strict(int this_syscall)
...
@@ -549,7 +548,11 @@ void secure_computing_strict(int this_syscall)
{
{
int
mode
=
current
->
seccomp
.
mode
;
int
mode
=
current
->
seccomp
.
mode
;
if
(
mode
==
0
)
if
(
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
&&
unlikely
(
current
->
ptrace
&
PT_SUSPEND_SECCOMP
))
return
;
if
(
mode
==
SECCOMP_MODE_DISABLED
)
return
;
return
;
else
if
(
mode
==
SECCOMP_MODE_STRICT
)
else
if
(
mode
==
SECCOMP_MODE_STRICT
)
__secure_computing_strict
(
this_syscall
);
__secure_computing_strict
(
this_syscall
);
...
@@ -650,6 +653,10 @@ u32 seccomp_phase1(struct seccomp_data *sd)
...
@@ -650,6 +653,10 @@ u32 seccomp_phase1(struct seccomp_data *sd)
int
this_syscall
=
sd
?
sd
->
nr
:
int
this_syscall
=
sd
?
sd
->
nr
:
syscall_get_nr
(
current
,
task_pt_regs
(
current
));
syscall_get_nr
(
current
,
task_pt_regs
(
current
));
if
(
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
&&
unlikely
(
current
->
ptrace
&
PT_SUSPEND_SECCOMP
))
return
SECCOMP_PHASE1_OK
;
switch
(
mode
)
{
switch
(
mode
)
{
case
SECCOMP_MODE_STRICT
:
case
SECCOMP_MODE_STRICT
:
__secure_computing_strict
(
this_syscall
);
/* may call do_exit */
__secure_computing_strict
(
this_syscall
);
/* may call do_exit */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment