Commit bb6ea430 authored by Will Drewry's avatar Will Drewry Committed by James Morris
Browse files

seccomp: Add SECCOMP_RET_TRAP 



Adds a new return value to seccomp filters that triggers a SIGSYS to be
delivered with the new SYS_SECCOMP si_code.

This allows in-process system call emulation, including just specifying
an errno or cleanly dumping core, rather than just dying.

Suggested-by: default avatarMarkus Gutschke <markus@chromium.org>
Suggested-by: default avatarJulien Tinnes <jln@chromium.org>
Signed-off-by: default avatarWill Drewry <wad@chromium.org>
Acked-by: default avatarEric Paris <eparis@redhat.com>

v18: - acked-by, rebase
     - don't mention secure_computing_int() anymore
v15: - use audit_seccomp/skip
     - pad out error spacing; clean up switch (indan@nul.nu)
v14: - n/a
v13: - rebase on to 88ebdda6
v12: - rebase on to linux-next
v11: - clarify the comment (indan@nul.nu)
     - s/sigtrap/sigsys
v10: - use SIGSYS, syscall_get_arch, updates arch/Kconfig
       note suggested-by (though original suggestion had other behaviors)
v9:  - changes to SIGILL
v8:  - clean up based on changes to dependent patches
v7:  - introduction
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent a0727e8c

arch/Kconfig

+9 −5
Original line number Diff line number Diff line
@@ -219,11 +219,15 @@ config ARCH_WANT_OLD_COMPAT_IPC 
config HAVE_ARCH_SECCOMP_FILTER

	bool

	help

	  This symbol should be selected by an architecure if it provides

	  asm/syscall.h, specifically syscall_get_arguments(),

	  syscall_get_arch(), and syscall_set_return_value().  Additionally,

	  its system call entry path must respect a return value of -1 from

	  __secure_computing() and/or secure_computing().

	  This symbol should be selected by an architecure if it provides:

	  asm/syscall.h:

	  - syscall_get_arch()

	  - syscall_get_arguments()

	  - syscall_rollback()

	  - syscall_set_return_value()

	  SIGSYS siginfo_t support must be implemented.

	  __secure_computing()/secure_computing()'s return value must be

	  checked, with -1 resulting in the syscall being skipped.



config SECCOMP_FILTER

	def_bool y

include/asm-generic/siginfo.h

+1 −1
Original line number Diff line number Diff line
@@ -93,7 +93,7 @@ typedef struct siginfo { 


		/* SIGSYS */

		struct {

			void __user *_call_addr; /* calling insn */

			void __user *_call_addr; /* calling user insn */

			int _syscall;	/* triggering system call number */

			unsigned int _arch;	/* AUDIT_ARCH_* of syscall */

		} _sigsys;

include/linux/seccomp.h

+1 −0
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 
 * selects the least permissive choice.

 */

#define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */

#define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */

#define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */

#define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */

kernel/seccomp.c

+26 −0
Original line number Diff line number Diff line
@@ -332,6 +332,26 @@ void put_seccomp_filter(struct task_struct *tsk) 
		kfree(freeme);

	}

}



/**

 * seccomp_send_sigsys - signals the task to allow in-process syscall emulation

 * @syscall: syscall number to send to userland

 * @reason: filter-supplied reason code to send to userland (via si_errno)

 *

 * Forces a SIGSYS with a code of SYS_SECCOMP and related sigsys info.

 */

static void seccomp_send_sigsys(int syscall, int reason)

{

	struct siginfo info;

	memset(&info, 0, sizeof(info));

	info.si_signo = SIGSYS;

	info.si_code = SYS_SECCOMP;

	info.si_call_addr = (void __user *)KSTK_EIP(current);

	info.si_errno = reason;

	info.si_arch = syscall_get_arch(current, task_pt_regs(current));

	info.si_syscall = syscall;

	force_sig_info(SIGSYS, &info, current);

}

#endif	/* CONFIG_SECCOMP_FILTER */



/*
@@ -382,6 +402,12 @@ int __secure_computing(int this_syscall) 
			syscall_set_return_value(current, task_pt_regs(current),

						 -data, 0);

			goto skip;

		case SECCOMP_RET_TRAP:

			/* Show the handler the original registers. */

			syscall_rollback(current, task_pt_regs(current));

			/* Let the filter pass back 16 bits of data. */

			seccomp_send_sigsys(this_syscall, data);

			goto skip;

		case SECCOMP_RET_ALLOW:

			return 0;

		case SECCOMP_RET_KILL:

CRA Git | Maintained and supported by SUSTech CRA and CCSE