tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
sh: seccomp support.
This hooks up the seccomp thread flag and associated callback from the
syscall tracer.
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+37
-2
+17
arch/sh/Kconfig
+17
arch/sh/Kconfig
···
483
483
484
484
For more details see Documentation/kdump/kdump.txt
485
485
486
+
config SECCOMP
487
+
bool "Enable seccomp to safely compute untrusted bytecode"
488
+
depends on PROC_FS
489
+
default y
490
+
help
491
+
This kernel feature is useful for number crunching applications
492
+
that may need to compute untrusted bytecode during their
493
+
execution. By using pipes or other transports made available to
494
+
the process as file descriptors supporting the read/write
495
+
syscalls, it's possible to isolate those applications in
496
+
their own address space using seccomp. Once seccomp is
497
+
enabled via prctl, it cannot be disabled and the task is only
498
+
allowed to execute a few safe syscalls defined by each seccomp
499
+
mode.
500
+
501
+
If unsure, say N.
502
+
486
503
config SMP
487
504
bool "Symmetric multi-processing support"
488
505
depends on SYS_SUPPORTS_SMP
+10
arch/sh/include/asm/seccomp.h
+10
arch/sh/include/asm/seccomp.h
+4
-2
arch/sh/include/asm/thread_info.h
+4
-2
arch/sh/include/asm/thread_info.h
···
117
117
#define TIF_NEED_RESCHED 2 /* rescheduling necessary */
118
118
#define TIF_RESTORE_SIGMASK 3 /* restore signal mask in do_signal() */
119
119
#define TIF_SINGLESTEP 4 /* singlestepping active */
120
-
#define TIF_SYSCALL_AUDIT 5
120
+
#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
121
+
#define TIF_SECCOMP 6 /* secure computing */
121
122
#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
122
123
#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */
123
124
#define TIF_MEMDIE 18
···
130
129
#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
131
130
#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
132
131
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
132
+
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
133
133
#define _TIF_USEDFPU (1 << TIF_USEDFPU)
134
134
#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
135
135
#define _TIF_FREEZE (1 << TIF_FREEZE)
···
143
141
144
142
/* work to do in syscall trace */
145
143
#define _TIF_WORK_SYSCALL_MASK (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP | \
146
-
_TIF_SYSCALL_AUDIT)
144
+
_TIF_SYSCALL_AUDIT | _TIF_SECCOMP)
147
145
148
146
/* work to do on any return to u-space */
149
147
#define _TIF_ALLWORK_MASK (_TIF_SYSCALL_TRACE | _TIF_SIGPENDING | \
+3
arch/sh/kernel/ptrace_32.c
+3
arch/sh/kernel/ptrace_32.c
···
20
20
#include <linux/signal.h>
21
21
#include <linux/io.h>
22
22
#include <linux/audit.h>
23
+
#include <linux/seccomp.h>
23
24
#include <asm/uaccess.h>
24
25
#include <asm/pgtable.h>
25
26
#include <asm/system.h>
···
276
275
asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
277
276
{
278
277
struct task_struct *tsk = current;
278
+
279
+
secure_computing(regs->regs[0]);
279
280
280
281
if (unlikely(current->audit_context) && entryexit)
281
282
audit_syscall_exit(AUDITSC_RESULT(regs->regs[0]),
+3
arch/sh/kernel/ptrace_64.c
+3
arch/sh/kernel/ptrace_64.c
···
27
27
#include <linux/signal.h>
28
28
#include <linux/syscalls.h>
29
29
#include <linux/audit.h>
30
+
#include <linux/seccomp.h>
30
31
#include <asm/io.h>
31
32
#include <asm/uaccess.h>
32
33
#include <asm/pgtable.h>
···
277
276
asmlinkage void syscall_trace(struct pt_regs *regs, int entryexit)
278
277
{
279
278
struct task_struct *tsk = current;
279
+
280
+
secure_computing(regs->regs[9]);
280
281
281
282
if (unlikely(current->audit_context) && entryexit)
282
283
audit_syscall_exit(AUDITSC_RESULT(regs->regs[9]),