Commit e95a4f8c authored by Guo Ren's avatar Guo Ren
Browse files

csky: Add SECCOMP_FILTER supported 

secure_computing() is called first in syscall_trace_enter() so that
a system call will be aborted quickly without doing succeeding syscall
tracing if seccomp rules want to deny that system call.

TODO:
 - Update https://github.com/seccomp/libseccomp

 csky support

Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
Cc: Arnd Bergmann <arnd@arndb.de>
parent c23dd240

arch/csky/Kconfig

+14 −0
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ config CSKY 
	select GX6605S_TIMER if CPU_CK610

	select HAVE_ARCH_TRACEHOOK

	select HAVE_ARCH_AUDITSYSCALL

	select HAVE_ARCH_SECCOMP_FILTER

	select HAVE_COPY_THREAD_TLS

	select HAVE_DEBUG_BUGVERBOSE

	select HAVE_DYNAMIC_FTRACE
@@ -296,3 +297,16 @@ endmenu 
source "arch/csky/Kconfig.platforms"



source "kernel/Kconfig.hz"



config SECCOMP

	bool "Enable seccomp to safely compute untrusted bytecode"

	help

	  This kernel feature is useful for number crunching applications

	  that may need to compute untrusted bytecode during their

	  execution. By using pipes or other transports made available to

	  the process as file descriptors supporting the read/write

	  syscalls, it's possible to isolate those applications in

	  their own address space using seccomp. Once seccomp is

	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled

	  and the task is only allowed to execute a few safe syscalls

	  defined by each seccomp mode.

arch/csky/include/asm/Kbuild

+1 −0
Original line number Diff line number Diff line
@@ -4,5 +4,6 @@ generic-y += gpio.h 
generic-y += kvm_para.h

generic-y += local64.h

generic-y += qrwlock.h

generic-y += seccomp.h

generic-y += user.h

generic-y += vmlinux.lds.h

arch/csky/include/asm/thread_info.h

+1 −1
Original line number Diff line number Diff line
@@ -85,6 +85,6 @@ static inline struct thread_info *current_thread_info(void) 
				 _TIF_NOTIFY_RESUME | _TIF_UPROBE)



#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \

				 _TIF_SYSCALL_TRACEPOINT)

				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)



#endif	/* _ASM_CSKY_THREAD_INFO_H */

arch/csky/kernel/entry.S

+3 −0
Original line number Diff line number Diff line
@@ -168,6 +168,8 @@ ENTRY(csky_systemcall) 
csky_syscall_trace:

	mov	a0, sp                  /* sp = pt_regs pointer */

	jbsr	syscall_trace_enter

	cmpnei	a0, 0

	bt	1f

	/* Prepare args before do system call */

	ldw	a0, (sp, LSAVE_A0)

	ldw	a1, (sp, LSAVE_A1)
@@ -188,6 +190,7 @@ csky_syscall_trace: 
#endif

	stw	a0, (sp, LSAVE_A0)	/* Save return value */



1:

#ifdef CONFIG_DEBUG_RSEQ

	mov	a0, sp

	jbsr	rseq_syscall

arch/csky/kernel/ptrace.c

+6 −2
Original line number Diff line number Diff line
@@ -320,16 +320,20 @@ long arch_ptrace(struct task_struct *child, long request, 
	return ret;

}



asmlinkage void syscall_trace_enter(struct pt_regs *regs)

asmlinkage int syscall_trace_enter(struct pt_regs *regs)

{

	if (test_thread_flag(TIF_SYSCALL_TRACE))

		if (tracehook_report_syscall_entry(regs))

			syscall_set_nr(current, regs, -1);

			return -1;



	if (secure_computing() == -1)

		return -1;



	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))

		trace_sys_enter(regs, syscall_get_nr(current, regs));



	audit_syscall_entry(regs_syscallid(regs), regs->a0, regs->a1, regs->a2, regs->a3);

	return 0;

}



asmlinkage void syscall_trace_exit(struct pt_regs *regs)

CRA Git | Maintained and supported by SUSTech CRA and CCSE