um: Add seccomp support · tjh.dev/kernel@c50b465

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

um: Add seccomp support

This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
subarchitectures.

secure_computing() is called first in handle_syscall() so that the
syscall emulation will be aborted quickly if matching a seccomp rule.

This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425).

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Kees Cook <keescook@chromium.org>

authored by

Mickaël Salaün and committed by

Richard Weinberger 10 years ago c50b4659 d8f8b844

+25 -1

5 changed files

expand all

Documentation

features

seccomp

seccomp-filter

arch-support.txt

arch

Kconfig.common

Kconfig.um

include

asm

thread_info.h

kernel

skas

syscall.c

+1 -1

Documentation/features/seccomp/seccomp-filter/arch-support.txt

··· 33 33 | sh: | TODO | 34 34 | sparc: | TODO | 35 35 | tile: | ok | 36 - | um: | TODO | 36 + | um: | ok | 37 37 | unicore32: | TODO | 38 38 | x86: | ok | 39 39 | xtensa: | TODO |

arch/um/Kconfig.common

··· 2 2 bool 3 3 default y 4 4 select HAVE_ARCH_AUDITSYSCALL 5 + select HAVE_ARCH_SECCOMP_FILTER 5 6 select HAVE_UID16 6 7 select HAVE_FUTEX_CMPXCHG if FUTEX 7 8 select GENERIC_IRQ_SHOW

+16

arch/um/Kconfig.um

··· 104 104 int 105 105 default 3 if 3_LEVEL_PGTABLES 106 106 default 2 107 + 108 + config SECCOMP 109 + def_bool y 110 + prompt "Enable seccomp to safely compute untrusted bytecode" 111 + ---help--- 112 + This kernel feature is useful for number crunching applications 113 + that may need to compute untrusted bytecode during their 114 + execution. By using pipes or other transports made available to 115 + the process as file descriptors supporting the read/write 116 + syscalls, it's possible to isolate those applications in 117 + their own address space using seccomp. Once seccomp is 118 + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled 119 + and the task is only allowed to execute a few safe syscalls 120 + defined by each seccomp mode. 121 + 122 + If unsure, say Y.

arch/um/include/asm/thread_info.h

··· 62 62 #define TIF_SYSCALL_AUDIT 6 63 63 #define TIF_RESTORE_SIGMASK 7 64 64 #define TIF_NOTIFY_RESUME 8 65 + #define TIF_SECCOMP 9 /* secure computing */ 65 66 66 67 #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) 67 68 #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) 68 69 #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) 69 70 #define _TIF_MEMDIE (1 << TIF_MEMDIE) 70 71 #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) 72 + #define _TIF_SECCOMP (1 << TIF_SECCOMP) 71 73 72 74 #endif

arch/um/kernel/skas/syscall.c

··· 5 5 6 6 #include <linux/kernel.h> 7 7 #include <linux/ptrace.h> 8 + #include <linux/seccomp.h> 8 9 #include <kern_util.h> 9 10 #include <sysdep/ptrace.h> 10 11 #include <sysdep/ptrace_user.h> ··· 19 18 /* Initialize the syscall number and default return value. */ 20 19 UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); 21 20 PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); 21 + 22 + /* Do the secure computing check first; failures should be fast. */ 23 + if (secure_computing() == -1) 24 + return; 22 25 23 26 if (syscall_trace_enter(regs)) 24 27 goto out;