Commit 26500475 authored by Tycho Andersen's avatar Tycho Andersen Committed by Kees Cook
Browse files

ptrace, seccomp: add support for retrieving seccomp metadata 



With the new SECCOMP_FILTER_FLAG_LOG, we need to be able to extract these
flags for checkpoint restore, since they describe the state of a filter.

So, let's add PTRACE_SECCOMP_GET_METADATA, similar to ..._GET_FILTER, which
returns the metadata of the nth filter (right now, just the flags).
Hopefully this will be future proof, and new per-filter metadata can be
added to this struct.

Signed-off-by: default avatarTycho Andersen <tycho@docker.com>
CC: Kees Cook <keescook@chromium.org>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent f06eae83

include/linux/seccomp.h

+8 −0
Original line number Diff line number Diff line
@@ -95,11 +95,19 @@ static inline void get_seccomp_filter(struct task_struct *tsk) 
#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)

extern long seccomp_get_filter(struct task_struct *task,

			       unsigned long filter_off, void __user *data);

extern long seccomp_get_metadata(struct task_struct *task,

				 unsigned long filter_off, void __user *data);

#else

static inline long seccomp_get_filter(struct task_struct *task,

				      unsigned long n, void __user *data)

{

	return -EINVAL;

}

static inline long seccomp_get_metadata(struct task_struct *task,

					unsigned long filter_off,

					void __user *data)

{

	return -EINVAL;

}

#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */

#endif /* _LINUX_SECCOMP_H */

include/uapi/linux/ptrace.h

+6 −0
Original line number Diff line number Diff line
@@ -66,6 +66,12 @@ struct ptrace_peeksiginfo_args { 
#define PTRACE_SETSIGMASK	0x420b



#define PTRACE_SECCOMP_GET_FILTER	0x420c

#define PTRACE_SECCOMP_GET_METADATA	0x420d



struct seccomp_metadata {

	unsigned long filter_off;	/* Input: which filter */

	unsigned int flags;		/* Output: filter's flags */

};



/* Read signals from a shared (process wide) queue */

#define PTRACE_PEEKSIGINFO_SHARED	(1 << 0)

kernel/ptrace.c

+4 −0
Original line number Diff line number Diff line
@@ -1092,6 +1092,10 @@ int ptrace_request(struct task_struct *child, long request, 
		ret = seccomp_get_filter(child, addr, datavp);

		break;



	case PTRACE_SECCOMP_GET_METADATA:

		ret = seccomp_get_metadata(child, addr, datavp);

		break;



	default:

		break;

	}

kernel/seccomp.c

+33 −0
Original line number Diff line number Diff line
@@ -1061,6 +1061,39 @@ out: 
	__put_seccomp_filter(filter);

	return ret;

}



long seccomp_get_metadata(struct task_struct *task,

			  unsigned long size, void __user *data)

{

	long ret;

	struct seccomp_filter *filter;

	struct seccomp_metadata kmd = {};



	if (!capable(CAP_SYS_ADMIN) ||

	    current->seccomp.mode != SECCOMP_MODE_DISABLED) {

		return -EACCES;

	}



	size = min_t(unsigned long, size, sizeof(kmd));



	if (copy_from_user(&kmd, data, size))

		return -EFAULT;



	filter = get_nth_filter(task, kmd.filter_off);

	if (IS_ERR(filter))

		return PTR_ERR(filter);



	memset(&kmd, 0, sizeof(kmd));

	if (filter->log)

		kmd.flags |= SECCOMP_FILTER_FLAG_LOG;



	ret = size;

	if (copy_to_user(data, &kmd, size))

		ret = -EFAULT;



	__put_seccomp_filter(filter);

	return ret;

}

#endif



#ifdef CONFIG_SYSCTL

CRA Git | Maintained and supported by SUSTech CRA and CCSE