Commit c50b4659 authored by Mickaël Salaün's avatar Mickaël Salaün Committed by Richard Weinberger

um: Add seccomp support

This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
subarchitectures.

secure_computing() is called first in handle_syscall() so that the
syscall emulation will be aborted quickly if matching a seccomp rule.

This is inspired from Meredydd Luff's patch
(https://gerrit.chromium.org/gerrit/21425).
Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: David Drysdale <drysdale@google.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Acked-by: default avatarKees Cook <keescook@chromium.org>
parent d8f8b844
...@@ -33,7 +33,7 @@ ...@@ -33,7 +33,7 @@
| sh: | TODO | | sh: | TODO |
| sparc: | TODO | | sparc: | TODO |
| tile: | ok | | tile: | ok |
| um: | TODO | | um: | ok |
| unicore32: | TODO | | unicore32: | TODO |
| x86: | ok | | x86: | ok |
| xtensa: | TODO | | xtensa: | TODO |
......
...@@ -2,6 +2,7 @@ config UML ...@@ -2,6 +2,7 @@ config UML
bool bool
default y default y
select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_AUDITSYSCALL
select HAVE_ARCH_SECCOMP_FILTER
select HAVE_UID16 select HAVE_UID16
select HAVE_FUTEX_CMPXCHG if FUTEX select HAVE_FUTEX_CMPXCHG if FUTEX
select GENERIC_IRQ_SHOW select GENERIC_IRQ_SHOW
......
...@@ -104,3 +104,19 @@ config PGTABLE_LEVELS ...@@ -104,3 +104,19 @@ config PGTABLE_LEVELS
int int
default 3 if 3_LEVEL_PGTABLES default 3 if 3_LEVEL_PGTABLES
default 2 default 2
config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
---help---
This kernel feature is useful for number crunching applications
that may need to compute untrusted bytecode during their
execution. By using pipes or other transports made available to
the process as file descriptors supporting the read/write
syscalls, it's possible to isolate those applications in
their own address space using seccomp. Once seccomp is
enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
If unsure, say Y.
...@@ -62,11 +62,13 @@ static inline struct thread_info *current_thread_info(void) ...@@ -62,11 +62,13 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_SYSCALL_AUDIT 6 #define TIF_SYSCALL_AUDIT 6
#define TIF_RESTORE_SIGMASK 7 #define TIF_RESTORE_SIGMASK 7
#define TIF_NOTIFY_RESUME 8 #define TIF_NOTIFY_RESUME 8
#define TIF_SECCOMP 9 /* secure computing */
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
#define _TIF_MEMDIE (1 << TIF_MEMDIE) #define _TIF_MEMDIE (1 << TIF_MEMDIE)
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
#endif #endif
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/ptrace.h> #include <linux/ptrace.h>
#include <linux/seccomp.h>
#include <kern_util.h> #include <kern_util.h>
#include <sysdep/ptrace.h> #include <sysdep/ptrace.h>
#include <sysdep/ptrace_user.h> #include <sysdep/ptrace_user.h>
...@@ -19,6 +20,10 @@ void handle_syscall(struct uml_pt_regs *r) ...@@ -19,6 +20,10 @@ void handle_syscall(struct uml_pt_regs *r)
UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp); UPT_SYSCALL_NR(r) = PT_SYSCALL_NR(r->gp);
PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS); PT_REGS_SET_SYSCALL_RETURN(regs, -ENOSYS);
/* Do the secure computing check first; failures should be fast. */
if (secure_computing() == -1)
return;
if (syscall_trace_enter(regs)) if (syscall_trace_enter(regs))
goto out; goto out;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment