Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c0a3a64e authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 

Pull seccomp updates from Kees Cook:
 "Major additions:

   - sysctl and seccomp operation to discover available actions
     (tyhicks)

   - new per-filter configurable logging infrastructure and sysctl
     (tyhicks)

   - SECCOMP_RET_LOG to log allowed syscalls (tyhicks)

   - SECCOMP_RET_KILL_PROCESS as the new strictest possible action

   - self-tests for new behaviors"

[ This is the seccomp part of the security pull request during the merge
  window that was nixed due to unrelated problems   - Linus ]

* tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  samples: Unrename SECCOMP_RET_KILL
  selftests/seccomp: Test thread vs process killing
  seccomp: Implement SECCOMP_RET_KILL_PROCESS action
  seccomp: Introduce SECCOMP_RET_KILL_PROCESS
  seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
  seccomp: Action to log before allowing
  seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
  seccomp: Selftest for detection of filter flag support
  seccomp: Sysctl to configure actions that are allowed to be logged
  seccomp: Operation for checking if an action is available
  seccomp: Sysctl to display available actions
  seccomp: Provide matching filter for introspection
  selftests/seccomp: Refactor RET_ERRNO tests
  selftests/seccomp: Add simple seccomp overhead benchmark
  selftests/seccomp: Add tests for basic ptrace actions
parents 69c902f5 6849243b

Documentation/networking/filter.txt

+1 −1
Original line number Diff line number Diff line
@@ -337,7 +337,7 @@ Examples for low-level BPF: 
  jeq #14, good           /* __NR_rt_sigprocmask */

  jeq #13, good           /* __NR_rt_sigaction */

  jeq #35, good           /* __NR_nanosleep */

  bad: ret #0             /* SECCOMP_RET_KILL */

  bad: ret #0             /* SECCOMP_RET_KILL_THREAD */

  good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */



The above example code can be placed into a file (here called "foo"), and

Documentation/sysctl/kernel.txt

+1 −0
Original line number Diff line number Diff line
@@ -75,6 +75,7 @@ show up in /proc/sys/kernel: 
- reboot-cmd                  [ SPARC only ]

- rtsig-max

- rtsig-nr

- seccomp/                    ==> Documentation/userspace-api/seccomp_filter.rst

- sem

- sem_next_id		      [ sysv ipc ]

- sg-big-buff                 [ generic SCSI device (sg) ]

Documentation/userspace-api/seccomp_filter.rst

+50 −2
Original line number Diff line number Diff line
@@ -87,11 +87,16 @@ Return values 
A seccomp filter may return any of the following values. If multiple

filters exist, the return value for the evaluation of a given system

call will always use the highest precedent value. (For example,

``SECCOMP_RET_KILL`` will always take precedence.)

``SECCOMP_RET_KILL_PROCESS`` will always take precedence.)



In precedence order, they are:



``SECCOMP_RET_KILL``:

``SECCOMP_RET_KILL_PROCESS``:

	Results in the entire process exiting immediately without executing

	the system call.  The exit status of the task (``status & 0x7f``)

	will be ``SIGSYS``, not ``SIGKILL``.



``SECCOMP_RET_KILL_THREAD``:

	Results in the task exiting immediately without executing the

	system call.  The exit status of the task (``status & 0x7f``) will

	be ``SIGSYS``, not ``SIGKILL``.
@@ -141,6 +146,15 @@ In precedence order, they are: 
	allow use of ptrace, even of other sandboxed processes, without

	extreme care; ptracers can use this mechanism to escape.)



``SECCOMP_RET_LOG``:

	Results in the system call being executed after it is logged. This

	should be used by application developers to learn which syscalls their

	application needs without having to iterate through multiple test and

	development cycles to build the list.



	This action will only be logged if "log" is present in the

	actions_logged sysctl string.



``SECCOMP_RET_ALLOW``:

	Results in the system call being executed.
@@ -169,7 +183,41 @@ The ``samples/seccomp/`` directory contains both an x86-specific example 
and a more generic example of a higher level macro interface for BPF

program generation.



Sysctls

=======



Seccomp's sysctl files can be found in the ``/proc/sys/kernel/seccomp/``

directory. Here's a description of each file in that directory:



``actions_avail``:

	A read-only ordered list of seccomp return values (refer to the

	``SECCOMP_RET_*`` macros above) in string form. The ordering, from

	left-to-right, is the least permissive return value to the most

	permissive return value.



	The list represents the set of seccomp return values supported

	by the kernel. A userspace program may use this list to

	determine if the actions found in the ``seccomp.h``, when the

	program was built, differs from the set of actions actually

	supported in the current running kernel.



``actions_logged``:

	A read-write ordered list of seccomp return values (refer to the

	``SECCOMP_RET_*`` macros above) that are allowed to be logged. Writes

	to the file do not need to be in ordered form but reads from the file

	will be ordered in the same way as the actions_avail sysctl.



	It is important to note that the value of ``actions_logged`` does not

	prevent certain actions from being logged when the audit subsystem is

	configured to audit a task. If the action is not found in

	``actions_logged`` list, the final decision on whether to audit the

	action for that task is ultimately left up to the audit subsystem to

	decide for all seccomp return values other than ``SECCOMP_RET_ALLOW``.



	The ``allow`` string is not accepted in the ``actions_logged`` sysctl

	as it is not possible to log ``SECCOMP_RET_ALLOW`` actions. Attempting

	to write ``allow`` to the sysctl will result in an EINVAL being

	returned.



Adding architecture support

===========================

include/linux/audit.h

+1 −5
Original line number Diff line number Diff line
@@ -314,11 +314,7 @@ void audit_core_dumps(long signr); 


static inline void audit_seccomp(unsigned long syscall, long signr, int code)

{

	if (!audit_enabled)

		return;



	/* Force a record to be reported if a signal was delivered. */

	if (signr || unlikely(!audit_dummy_context()))

	if (audit_enabled && unlikely(!audit_dummy_context()))

		__audit_seccomp(syscall, signr, code);

}

include/linux/seccomp.h

+2 −1
Original line number Diff line number Diff line
@@ -3,7 +3,8 @@ 


#include <uapi/linux/seccomp.h>



#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC)

#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \

					 SECCOMP_FILTER_FLAG_LOG)



#ifdef CONFIG_SECCOMP