Commit c50b4659 authored by Mickaël Salaün's avatar Mickaël Salaün Committed by Richard Weinberger
Browse files

um: Add seccomp support 

This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
subarchitectures.

secure_computing() is called first in handle_syscall() so that the
syscall emulation will be aborted quickly if matching a seccomp rule.

This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425

).

Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Acked-by: default avatarKees Cook <keescook@chromium.org>
parent d8f8b844

Documentation/features/seccomp/seccomp-filter/arch-support.txt

+1 −1
Original line number Diff line number Diff line
@@ -33,7 +33,7 @@ 
    |          sh: | TODO |

    |       sparc: | TODO |

    |        tile: |  ok  |

    |          um: | TODO |

    |          um: |  ok  |

    |   unicore32: | TODO |

    |         x86: |  ok  |

    |      xtensa: | TODO |

arch/um/Kconfig.common

+1 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ config UML 
	bool

	default y

	select HAVE_ARCH_AUDITSYSCALL

	select HAVE_ARCH_SECCOMP_FILTER

	select HAVE_UID16

	select HAVE_FUTEX_CMPXCHG if FUTEX

	select GENERIC_IRQ_SHOW

arch/um/Kconfig.um

+16 −0
Original line number Diff line number Diff line
@@ -104,3 +104,19 @@ config PGTABLE_LEVELS 
	int

	default 3 if 3_LEVEL_PGTABLES

	default 2



config SECCOMP

	def_bool y

	prompt "Enable seccomp to safely compute untrusted bytecode"

	---help---

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.



	  If unsure, say Y.

arch/um/include/asm/thread_info.h

+2 −0
Original line number Diff line number Diff line
@@ -62,11 +62,13 @@ static inline struct thread_info *current_thread_info(void) 
#define TIF_SYSCALL_AUDIT	6

#define TIF_RESTORE_SIGMASK	7

#define TIF_NOTIFY_RESUME	8

#define TIF_SECCOMP		9	/* secure computing */



#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)

#define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)

#define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)

#define _TIF_MEMDIE		(1 << TIF_MEMDIE)

#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)

#define _TIF_SECCOMP		(1 << TIF_SECCOMP)



#endif

arch/um/kernel/skas/syscall.c

+5 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ 


#include <linux/kernel.h>

#include <linux/ptrace.h>

#include <linux/seccomp.h>

#include <kern_util.h>

#include <sysdep/ptrace.h>

#include <sysdep/ptrace_user.h>
@@ -19,6 +20,10 @@ void handle_syscall(struct uml_pt_regs *r) 
	UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);

	PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);



	/* Do the secure computing check first; failures should be fast. */

	if (secure_computing() == -1)

		return;



	if (syscall_trace_enter(regs))

		goto out;

CRA Git | Maintained and supported by SUSTech CRA and CCSE