tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
seccomp: Report number of loaded filters in /proc/$pid/status
A common question asked when debugging seccomp filters is "how many
filters are attached to your process?" Provide a way to easily answer
this question through /proc/$pid/status with a "Seccomp_filters" line.
Signed-off-by: Kees Cook <keescook@chromium.org>
+10
+2
fs/proc/array.c
+2
fs/proc/array.c
···
341
341
seq_put_decimal_ull(m, "NoNewPrivs:\t", task_no_new_privs(p));
342
342
#ifdef CONFIG_SECCOMP
343
343
seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
344
+
seq_put_decimal_ull(m, "\nSeccomp_filters:\t",
345
+
atomic_read(&p->seccomp.filter_count));
344
346
#endif
345
347
seq_puts(m, "\nSpeculation_Store_Bypass:\t");
346
348
switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
+2
include/linux/seccomp.h
+2
include/linux/seccomp.h
···
13
13
#ifdef CONFIG_SECCOMP
14
14
15
15
#include <linux/thread_info.h>
16
+
#include <linux/atomic.h>
16
17
#include <asm/seccomp.h>
17
18
18
19
struct seccomp_filter;
···
30
29
*/
31
30
struct seccomp {
32
31
int mode;
32
+
atomic_t filter_count;
33
33
struct seccomp_filter *filter;
34
34
};
35
35
+3
init/init_task.c
+3
init/init_task.c
+3
kernel/seccomp.c
+3
kernel/seccomp.c
···
398
398
put_seccomp_filter(thread);
399
399
smp_store_release(&thread->seccomp.filter,
400
400
caller->seccomp.filter);
401
+
atomic_set(&thread->seccomp.filter_count,
402
+
atomic_read(&thread->seccomp.filter_count));
401
403
402
404
/*
403
405
* Don't let an unprivileged task work around
···
546
544
*/
547
545
filter->prev = current->seccomp.filter;
548
546
current->seccomp.filter = filter;
547
+
atomic_inc(¤t->seccomp.filter_count);
549
548
550
549
/* Now that the new filter is in place, synchronize to all threads. */
551
550
if (flags & SECCOMP_FILTER_FLAG_TSYNC)