Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit deb4de8b authored by Kees Cook's avatar Kees Cook
Browse files

seccomp: Provide matching filter for introspection 



Both the upcoming logging improvements and changes to RET_KILL will need
to know which filter a given seccomp return value originated from. In
order to delay logic processing of result until after the seccomp loop,
this adds a single pointer assignment on matches. This will allow both
log and RET_KILL logic to work off the filter rather than doing more
expensive tests inside the time-critical run_filters loop.

Running tight cycles of getpid() with filters attached shows no measurable
difference in speed.

Suggested-by: default avatarTyler Hicks <tyhicks@canonical.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
parent f3f6e306

kernel/seccomp.c

+15 −3
Original line number Diff line number Diff line
@@ -171,10 +171,14 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) 
/**

 * seccomp_run_filters - evaluates all seccomp filters against @sd

 * @sd: optional seccomp data to be passed to filters

 * @match: stores struct seccomp_filter that resulted in the return value,

 *         unless filter returned SECCOMP_RET_ALLOW, in which case it will

 *         be unchanged.

 *

 * Returns valid seccomp BPF response codes.

 */

static u32 seccomp_run_filters(const struct seccomp_data *sd)

static u32 seccomp_run_filters(const struct seccomp_data *sd,

			       struct seccomp_filter **match)

{

	struct seccomp_data sd_local;

	u32 ret = SECCOMP_RET_ALLOW;
@@ -198,8 +202,10 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd) 
	for (; f; f = f->prev) {

		u32 cur_ret = BPF_PROG_RUN(f->prog, sd);



		if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION))

		if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION)) {

			ret = cur_ret;

			*match = f;

		}

	}

	return ret;

}
@@ -566,6 +572,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, 
			    const bool recheck_after_trace)

{

	u32 filter_ret, action;

	struct seccomp_filter *match = NULL;

	int data;



	/*
@@ -574,7 +581,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, 
	 */

	rmb();



	filter_ret = seccomp_run_filters(sd);

	filter_ret = seccomp_run_filters(sd, &match);

	data = filter_ret & SECCOMP_RET_DATA;

	action = filter_ret & SECCOMP_RET_ACTION;
@@ -638,6 +645,11 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, 
		return 0;



	case SECCOMP_RET_ALLOW:

		/*

		 * Note that the "match" filter will always be NULL for

		 * this action since SECCOMP_RET_ALLOW is the starting

		 * state in seccomp_run_filters().

		 */

		return 0;



	case SECCOMP_RET_KILL: