Commit 282a181b authored by YiFei Zhu's avatar YiFei Zhu Committed by Kees Cook
Browse files

seccomp: Move config option SECCOMP to arch/Kconfig 



In order to make adding configurable features into seccomp easier,
it's better to have the options at one single location, considering
especially that the bulk of seccomp code is arch-independent. An quick
look also show that many SECCOMP descriptions are outdated; they talk
about /proc rather than prctl.

As a result of moving the config option and keeping it default on,
architectures arm, arm64, csky, riscv, sh, and xtensa did not have SECCOMP
on by default prior to this and SECCOMP will be default in this change.

Architectures microblaze, mips, powerpc, s390, sh, and sparc have an
outdated depend on PROC_FS and this dependency is removed in this change.

Suggested-by: default avatarJann Horn <jannh@google.com>
Link: https://lore.kernel.org/lkml/CAG48ez1YWz9cnp08UZgeieYRhHdqh-ch7aNwc4JRBnGyrmgfMg@mail.gmail.com/


Signed-off-by: default avatarYiFei Zhu <yifeifz2@illinois.edu>
[kees: added HAVE_ARCH_SECCOMP help text, tweaked wording]
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/9ede6ef35c847e58d61e476c6a39540520066613.1600951211.git.yifeifz2@illinois.edu
parent e953aeaa

arch/Kconfig

+30 −0
Original line number Diff line number Diff line
@@ -444,10 +444,23 @@ config ARCH_WANT_OLD_COMPAT_IPC 
	select ARCH_WANT_COMPAT_IPC_PARSE_VERSION

	bool



config HAVE_ARCH_SECCOMP

	bool

	help

	  An arch should select this symbol to support seccomp mode 1 (the fixed

	  syscall policy), and must provide an overrides for __NR_seccomp_sigreturn,

	  and compat syscalls if the asm-generic/seccomp.h defaults need adjustment:

	  - __NR_seccomp_read_32

	  - __NR_seccomp_write_32

	  - __NR_seccomp_exit_32

	  - __NR_seccomp_sigreturn_32



config HAVE_ARCH_SECCOMP_FILTER

	bool

	select HAVE_ARCH_SECCOMP

	help

	  An arch should select this symbol if it provides all of these things:

	  - all the requirements for HAVE_ARCH_SECCOMP

	  - syscall_get_arch()

	  - syscall_get_arguments()

	  - syscall_rollback()
@@ -458,6 +471,23 @@ config HAVE_ARCH_SECCOMP_FILTER 
	    results in the system call being skipped immediately.

	  - seccomp syscall wired up



config SECCOMP

	prompt "Enable seccomp to safely execute untrusted bytecode"

	def_bool y

	depends on HAVE_ARCH_SECCOMP

	help

	  This kernel feature is useful for number crunching applications

	  that may need to handle untrusted bytecode during their

	  execution. By using pipes or other transports made available

	  to the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in their

	  own address space using seccomp. Once seccomp is enabled via

	  prctl(PR_SET_SECCOMP) or the seccomp() syscall, it cannot be

	  disabled and the task is only allowed to execute a few safe

	  syscalls defined by each seccomp mode.



	  If unsure, say Y.



config SECCOMP_FILTER

	def_bool y

	depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET

arch/arm/Kconfig

+1 −14
Original line number Diff line number Diff line
@@ -67,6 +67,7 @@ config ARM 
	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32 && MMU

	select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32 && MMU

	select HAVE_ARCH_MMAP_RND_BITS if MMU

	select HAVE_ARCH_SECCOMP

	select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT

	select HAVE_ARCH_THREAD_STRUCT_WHITELIST

	select HAVE_ARCH_TRACEHOOK
@@ -1617,20 +1618,6 @@ config UACCESS_WITH_MEMCPY 
	  However, if the CPU data cache is using a write-allocate mode,

	  this option is unlikely to provide any performance gain.



config SECCOMP

	bool

	prompt "Enable seccomp to safely compute untrusted bytecode"

	help

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.



config PARAVIRT

	bool "Enable paravirtualization code"

	help

arch/arm64/Kconfig

+0 −13
Original line number Diff line number Diff line
@@ -1033,19 +1033,6 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK 
config CC_HAVE_SHADOW_CALL_STACK

	def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)



config SECCOMP

	bool "Enable seccomp to safely compute untrusted bytecode"

	help

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.



config PARAVIRT

	bool "Enable paravirtualization code"

	help

arch/csky/Kconfig

+0 −13
Original line number Diff line number Diff line
@@ -309,16 +309,3 @@ endmenu 
source "arch/csky/Kconfig.platforms"



source "kernel/Kconfig.hz"
 


config SECCOMP

	bool "Enable seccomp to safely compute untrusted bytecode"

	help

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.

arch/microblaze/Kconfig

+1 −17
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ config MICROBLAZE 
	select GENERIC_SCHED_CLOCK

	select HAVE_ARCH_HASH

	select HAVE_ARCH_KGDB

	select HAVE_ARCH_SECCOMP

	select HAVE_DEBUG_KMEMLEAK

	select HAVE_DMA_CONTIGUOUS

	select HAVE_DYNAMIC_FTRACE
@@ -120,23 +121,6 @@ config CMDLINE_FORCE 
	  Set this to have arguments from the default kernel command string

	  override those passed by the boot loader.



config SECCOMP

	bool "Enable seccomp to safely compute untrusted bytecode"

	depends on PROC_FS

	default y

	help

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via /proc/<pid>/seccomp, it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.



	  If unsure, say Y. Only embedded should say N here.



endmenu



menu "Kernel features"

CRA Git | Maintained and supported by SUSTech CRA and CCSE