)]}' { "log": [ { "commit": "f8b074bfda9d5a6eb136c60950a3319de5e14933", "tree": "8deca0200cd359b0f265dd1d8ebc30a20dd6bd6b", "parents": [ "d32af365698237c84e6afb44d9e88d3b7bf56913" ], "author": { "name": "Robert Sesek", "email": "rsesek@google.com", "time": "Mon Aug 18 19:14:51 2014 -0400" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:05:00 2015 -0400" }, "message": "seccomp: Use atomic operations that are present in kernel 3.4.\n\nSigned-off-by: Robert Sesek \u003crsesek@google.com\u003e\n" }, { "commit": "d32af365698237c84e6afb44d9e88d3b7bf56913", "tree": "b73970cd95a8808a1853232fe18f505e897c79c6", "parents": [ "38daf679216fe5edfc43f975db963be883accae8" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Thu Jun 05 00:23:17 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:59 2015 -0400" }, "message": "seccomp: implement SECCOMP_FILTER_FLAG_TSYNC\n\nApplying restrictive seccomp filter programs to large or diverse\ncodebases often requires handling threads which may be started early in\nthe process lifetime (e.g., by code that is linked in). While it is\npossible to apply permissive programs prior to process start up, it is\ndifficult to further restrict the kernel ABI to those threads after that\npoint.\n\nThis change adds a new seccomp syscall flag to SECCOMP_SET_MODE_FILTER for\nsynchronizing thread group seccomp filters at filter installation time.\n\nWhen calling seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,\nfilter) an attempt will be made to synchronize all threads in current\u0027s\nthreadgroup to its new seccomp filter program. This is possible iff all\nthreads are using a filter that is an ancestor to the filter current is\nattempting to synchronize to. NULL filters (where the task is running as\nSECCOMP_MODE_NONE) are also treated as ancestors allowing threads to be\ntransitioned into SECCOMP_MODE_FILTER. If prctrl(PR_SET_NO_NEW_PRIVS,\n...) has been set on the calling thread, no_new_privs will be set for\nall synchronized threads too. On success, 0 is returned. On failure,\nthe pid of one of the failing threads will be returned and no filters\nwill have been applied.\n\nThe race conditions against another thread are:\n- requesting TSYNC (already handled by sighand lock)\n- performing a clone (already handled by sighand lock)\n- changing its filter (already handled by sighand lock)\n- calling exec (handled by cred_guard_mutex)\nThe clone case is assisted by the fact that new threads will have their\nseccomp state duplicated from their parent before appearing on the tasklist.\n\nHolding cred_guard_mutex means that seccomp filters cannot be assigned\nwhile in the middle of another thread\u0027s exec (potentially bypassing\nno_new_privs or similar). The call to de_thread() may kill threads waiting\nfor the mutex.\n\nChanges across threads to the filter pointer includes a barrier.\n\nBased on patches by Will Drewry.\n\nSuggested-by: Julien Tinnes \u003cjln@chromium.org\u003e\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nConflicts:\n\tinclude/linux/seccomp.h\n\tinclude/uapi/linux/seccomp.h\n" }, { "commit": "38daf679216fe5edfc43f975db963be883accae8", "tree": "d28c1ee16e5f00d28e829745d2b45eb66c008b8a", "parents": [ "880e1ab5d6ef6e806dfa8e9ba08c3ff03488837d" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Fri Jun 27 15:01:35 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:58 2015 -0400" }, "message": "seccomp: allow mode setting across threads\n\nThis changes the mode setting helper to allow threads to change the\nseccomp mode from another thread. We must maintain barriers to keep\nTIF_SECCOMP synchronized with the rest of the seccomp state.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nConflicts:\n\tkernel/seccomp.c\n" }, { "commit": "880e1ab5d6ef6e806dfa8e9ba08c3ff03488837d", "tree": "df8042281f019e5750d08093e13041b7b3337a0e", "parents": [ "42835bc18120d0e5921ff07d2c2d8afd9783161a" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Fri Jun 27 15:18:48 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:57 2015 -0400" }, "message": "seccomp: introduce writer locking\n\nNormally, task_struct.seccomp.filter is only ever read or modified by\nthe task that owns it (current). This property aids in fast access\nduring system call filtering as read access is lockless.\n\nUpdating the pointer from another task, however, opens up race\nconditions. To allow cross-thread filter pointer updates, writes to the\nseccomp fields are now protected by the sighand spinlock (which is shared\nby all threads in the thread group). Read access remains lockless because\npointer updates themselves are atomic. However, writes (or cloning)\noften entail additional checking (like maximum instruction counts)\nwhich require locking to perform safely.\n\nIn the case of cloning threads, the child is invisible to the system\nuntil it enters the task list. To make sure a child can\u0027t be cloned from\na thread and left in a prior state, seccomp duplication is additionally\nmoved under the sighand lock. Then parent and child are certain have\nthe same seccomp state when they exit the lock.\n\nBased on patches by Will Drewry and David Drysdale.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nConflicts:\n\tkernel/fork.c\n" }, { "commit": "42835bc18120d0e5921ff07d2c2d8afd9783161a", "tree": "10ca7b612fae4221a7557fbfa269752e9c9a6b0d", "parents": [ "aa064093b32bc5a386de8d441dabe262b78506c7" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Fri Jun 27 15:16:33 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:56 2015 -0400" }, "message": "seccomp: split filter prep from check and apply\n\nIn preparation for adding seccomp locking, move filter creation away\nfrom where it is checked and applied. This will allow for locking where\nno memory allocation is happening. The validation, filter attachment,\nand seccomp mode setting can all happen under the future locks.\n\nFor extreme defensiveness, I\u0027ve added a BUG_ON check for the calculated\nsize of the buffer allocation in case BPF_MAXINSN ever changes, which\nshouldn\u0027t ever happen. The compiler should actually optimize out this\ncheck since the test above it makes it impossible.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nConflicts:\n\tkernel/seccomp.c\n" }, { "commit": "5eab130238adb0adc6100dbba713082c19794dbf", "tree": "e4c0af7539ca574904595f40c2344602116b2160", "parents": [ "d7a4f76933fc2be05f2837f46045039c9d187d45" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed May 21 15:23:46 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:54 2015 -0400" }, "message": "sched: move no_new_privs into new atomic flags\n\nSince seccomp transitions between threads requires updates to the\nno_new_privs flag to be atomic, the flag must be part of an atomic flag\nset. This moves the nnp flag into a separate task field, and introduces\naccessors.\n\nChange-Id: I4e764b1b1eb5296a3f7e498a89cfdd6624796c87\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n" }, { "commit": "95de3e500c6502922b9e66385f9f0aad23f21128", "tree": "dee1daf3c5ecbad2440cd684fcc4292660dbe6c3", "parents": [ "bc4bd0fe1fb5326ed223684cd7da2143238ecdae" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed Jun 25 16:08:24 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:52 2015 -0400" }, "message": "seccomp: add \"seccomp\" syscall\n\nThis adds the new \"seccomp\" syscall with both an \"operation\" and \"flags\"\nparameter for future expansion. The third argument is a pointer value,\nused with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must\nbe 0. This is functionally equivalent to prctl(PR_SET_SECCOMP, ...).\n\nIn addition to the TSYNC flag later in this patch series, there is a\nnon-zero chance that this syscall could be used for configuring a fixed\nargument area for seccomp-tracer-aware processes to pass syscall arguments\nin the future. Hence, the use of \"seccomp\" not simply \"seccomp_add_filter\"\nfor this syscall. Additionally, this syscall uses operation, flags,\nand user pointer for arguments because strictly passing arguments via\na user pointer would mean seccomp itself would be unable to trivially\nfilter the seccomp syscall itself.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nConflicts:\n\tarch/x86/syscalls/syscall_32.tbl\n\tarch/x86/syscalls/syscall_64.tbl\n\tinclude/linux/syscalls.h\n\tinclude/uapi/asm-generic/unistd.h\n\tinclude/uapi/linux/seccomp.h\n\tkernel/seccomp.c\n\tkernel/sys_ni.c\n" }, { "commit": "bc4bd0fe1fb5326ed223684cd7da2143238ecdae", "tree": "04c2051d771e1e608d25b292bf162a39dc463010", "parents": [ "c5c2ce744846c3d39e6a7566c2667a15eeb96914" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed Jun 25 15:55:25 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:51 2015 -0400" }, "message": "seccomp: split mode setting routines\n\nSeparates the two mode setting paths to make things more readable with\nfewer #ifdefs within function bodies.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n" }, { "commit": "c5c2ce744846c3d39e6a7566c2667a15eeb96914", "tree": "c98a24b53982b8b46fdfa409ee1c7f9f446701b6", "parents": [ "2d5f6983058ce215c4ca2bea1cc487cfe9263dda" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed Jun 25 15:38:02 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:50 2015 -0400" }, "message": "seccomp: extract check/assign mode helpers\n\nTo support splitting mode 1 from mode 2, extract the mode checking and\nassignment logic into common functions.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n" }, { "commit": "2d5f6983058ce215c4ca2bea1cc487cfe9263dda", "tree": "51ce8257a1536edb522693380e19d80d5f729012", "parents": [ "befe287761279005609dee31b13be05151d764ed" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed May 21 15:02:11 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:49 2015 -0400" }, "message": "seccomp: create internal mode-setting function\n\nIn preparation for having other callers of the seccomp mode setting\nlogic, split the prctl entry point away from the core logic that performs\nseccomp mode setting.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n" }, { "commit": "befe287761279005609dee31b13be05151d764ed", "tree": "e0952c1adb3596cddacf5a923ca7bee04c186dd8", "parents": [ "171ba895e1eed4c4758e37ca96a1869fabb25cec" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Fri Apr 27 11:25:30 2012 -0500" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:48 2015 -0400" }, "message": "CHROMIUM: seccomp: set -ENOSYS if there is no tracer\n\n[Will attempt to add to -next, but this may need to wait\n until there is a motivating usecase, like ARM, since x86\n does the right thing already.]\n\nOn some arches, -ENOSYS is not set as the default system call\nreturn value. This means that a skipped or invalid system call\ndoes not yield this response. That behavior is not inline with\nthe stated ABI of seccomp filter. To that end, we ensure we set\nthat value here to avoid arch idiosyncrasies.\n\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nTEST\u003dtegra2_kaen; boot, strace works, seccomp testsuite trace tests pass\nBUG\u003dchromium-os:27878\n\nChange-Id: I03a5e633d2fbb5d3d3cc33c067b2887068364c17\nReviewed-on: https://gerrit.chromium.org/gerrit/21337\nReviewed-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Will Drewry \u003cwad@chromium.org\u003e\nTested-by: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: Sasha Levitskiy \u003csanek@google.com\u003e\n" }, { "commit": "171ba895e1eed4c4758e37ca96a1869fabb25cec", "tree": "ff9b5c36d1c8625ac31fc1d4438e02ffc010644b", "parents": [ "4ca6e672b116c412a4a6a39bc9610ffe2e4d0f9b" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Tue Apr 17 14:48:58 2012 -0500" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:47 2015 -0400" }, "message": "seccomp: fix build warnings when there is no CONFIG_SECCOMP_FILTER\n\nIf both audit and seccomp filter support are disabled, \u0027ret\u0027 is marked\nas unused.\n\nIf just seccomp filter support is disabled, data and skip are considered\nunused.\n\nThis change fixes those build warnings.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "4ca6e672b116c412a4a6a39bc9610ffe2e4d0f9b", "tree": "a3074771f4abc14aef6baeb2a942615a32cc8773", "parents": [ "695370290bc18dbd678f1c06f372c8351a6333f2" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Thu Feb 09 12:08:39 2012 -0600" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:46 2015 -0400" }, "message": "ptrace,seccomp: Add PTRACE_SECCOMP support\n\nThis change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP,\nand a new return value for seccomp BPF programs, SECCOMP_RET_TRACE.\n\nWhen a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the\ntracer will be notified, via PTRACE_EVENT_SECCOMP, for any syscall that\nresults in a BPF program returning SECCOMP_RET_TRACE. The 16-bit\nSECCOMP_RET_DATA mask of the BPF program return value will be passed as\nthe ptrace_message and may be retrieved using PTRACE_GETEVENTMSG.\n\nIf the subordinate process is not using seccomp filter, then no\nsystem call notifications will occur even if the option is specified.\n\nIf there is no tracer with PTRACE_O_TRACESECCOMP when SECCOMP_RET_TRACE\nis returned, the system call will not be executed and an -ENOSYS errno\nwill be returned to userspace.\n\nThis change adds a dependency on the system call slow path. Any future\nefforts to use the system call fast path for seccomp filter will need to\naddress this restriction.\n\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nv18: - rebase\n - comment fatal_signal check\n - acked-by\n - drop secure_computing_int comment\nv17: - ...\nv16: - update PT_TRACE_MASK to 0xbf4 so that STOP isn\u0027t clear on SETOPTIONS call (indan@nul.nu)\n [note PT_TRACE_MASK disappears in linux-next]\nv15: - add audit support for non-zero return codes\n - clean up style (indan@nul.nu)\nv14: - rebase/nochanges\nv13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc\n (Brings back a change to ptrace.c and the masks.)\nv12: - rebase to linux-next\n - use ptrace_event and update arch/Kconfig to mention slow-path dependency\n - drop all tracehook changes and inclusion (oleg@redhat.com)\nv11: - invert the logic to just make it a PTRACE_SYSCALL accelerator\n (indan@nul.nu)\nv10: - moved to PTRACE_O_SECCOMP / PT_TRACE_SECCOMP\nv9: - n/a\nv8: - guarded PTRACE_SECCOMP use with an ifdef\nv7: - introduced\n" }, { "commit": "695370290bc18dbd678f1c06f372c8351a6333f2", "tree": "97bdeb658f81b1d6562fc9b9347608e5d478e4bb", "parents": [ "15f81b8475370ab2a9642e1980ca0934c32c0e6a" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Thu Feb 09 12:01:37 2012 -0600" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:45 2015 -0400" }, "message": "seccomp: Add SECCOMP_RET_TRAP\n\nAdds a new return value to seccomp filters that triggers a SIGSYS to be\ndelivered with the new SYS_SECCOMP si_code.\n\nThis allows in-process system call emulation, including just specifying\nan errno or cleanly dumping core, rather than just dying.\n\nSuggested-by: Markus Gutschke \u003cmarkus@chromium.org\u003e\nSuggested-by: Julien Tinnes \u003cjln@chromium.org\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nv18: - acked-by, rebase\n - don\u0027t mention secure_computing_int() anymore\nv15: - use audit_seccomp/skip\n - pad out error spacing; clean up switch (indan@nul.nu)\nv14: - n/a\nv13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc\nv12: - rebase on to linux-next\nv11: - clarify the comment (indan@nul.nu)\n - s/sigtrap/sigsys\nv10: - use SIGSYS, syscall_get_arch, updates arch/Kconfig\n note suggested-by (though original suggestion had other behaviors)\nv9: - changes to SIGILL\nv8: - clean up based on changes to dependent patches\nv7: - introduction\n" }, { "commit": "43ec8251ea13acdeffe1fdb6313cf9cde9818d48", "tree": "b08cae45ad682048a6b597a68b5b24307be824d7", "parents": [ "88b54e7859e88c3377510daa86a31802cda4f574" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Wed Feb 15 20:45:54 2012 -0600" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:44 2015 -0400" }, "message": "seccomp: add SECCOMP_RET_ERRNO\n\nThis change adds the SECCOMP_RET_ERRNO as a valid return value from a\nseccomp filter. Additionally, it makes the first use of the lower\n16-bits for storing a filter-supplied errno. 16-bits is more than\nenough for the errno-base.h calls.\n\nReturning errors instead of immediately terminating processes that\nviolate seccomp policy allow for broader use of this functionality\nfor kernel attack surface reduction. For example, a linux container\ncould maintain a whitelist of pre-existing system calls but drop\nall new ones with errnos. This would keep a logically static attack\nsurface while providing errnos that may allow for graceful failure\nwithout the downside of do_exit() on a bad call.\n\nThis change also changes the signature of __secure_computing. It\nappears the only direct caller is the arm entry code and it clobbers\nany possible return value (register) immediately.\n\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nReviewed-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nv18: - fix up comments and rebase\n - fix bad var name which was fixed in later revs\n - remove _int() and just change the __secure_computing signature\nv16-v17: ...\nv15: - use audit_seccomp and add a skip label. (eparis@redhat.com)\n - clean up and pad out return codes (indan@nul.nu)\nv14: - no change/rebase\nv13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc\nv12: - move to WARN_ON if filter is NULL\n (oleg@redhat.com, luto@mit.edu, keescook@chromium.org)\n - return immediately for filter\u003d\u003dNULL (keescook@chromium.org)\n - change evaluation to only compare the ACTION so that layered\n errnos don\u0027t result in the lowest one being returned.\n (keeschook@chromium.org)\nv11: - check for NULL filter (keescook@chromium.org)\nv10: - change loaders to fn\n v9: - n/a\n v8: - update Kconfig to note new need for syscall_set_return_value.\n - reordered such that TRAP behavior follows on later.\n - made the for loop a little less indent-y\n v7: - introduced\n" }, { "commit": "88b54e7859e88c3377510daa86a31802cda4f574", "tree": "b4152eae2d69189c54d5fd9b9db687c4bbbc8933", "parents": [ "980e920cbbb90c83e50f9287bd4dba5bd31f189a" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Sun Feb 26 11:56:12 2012 -0800" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:43 2015 -0400" }, "message": "seccomp: remove duplicated failure logging\n\nThis consolidates the seccomp filter error logging path and adds more\ndetails to the audit log.\n\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nv18: make compat\u003d permanent in the record\nv15: added a return code to the audit_seccomp path by wad@chromium.org\n (suggested by eparis@redhat.com)\nv*: original by keescook@chromium.org\n" }, { "commit": "980e920cbbb90c83e50f9287bd4dba5bd31f189a", "tree": "fed0f3a9f7c0c6c9ea50823325cdbd51a7ade592", "parents": [ "807936ec50ca1e4daab2daab94db3d5b2e02da9c" ], "author": { "name": "Will Drewry", "email": "wad@chromium.org", "time": "Thu Feb 09 11:50:58 2012 -0600" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:42 2015 -0400" }, "message": "seccomp: add system call filtering using BPF\n\n[This patch depends on luto@mit.edu\u0027s no_new_privs patch:\n https://lkml.org/lkml/2012/1/30/264\n The whole series including Andrew\u0027s patches can be found here:\n https://github.com/redpig/linux/tree/seccomp\n Complete diff here:\n https://github.com/redpig/linux/compare/1dc65fed...seccomp\n]\n\nThis patch adds support for seccomp mode 2. Mode 2 introduces the\nability for unprivileged processes to install system call filtering\npolicy expressed in terms of a Berkeley Packet Filter (BPF) program.\nThis program will be evaluated in the kernel for each system call\nthe task makes and computes a result based on data in the format\nof struct seccomp_data.\n\nA filter program may be installed by calling:\n struct sock_fprog fprog \u003d { ... };\n ...\n prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, \u0026fprog);\n\nThe return value of the filter program determines if the system call is\nallowed to proceed or denied. If the first filter program installed\nallows prctl(2) calls, then the above call may be made repeatedly\nby a task to further reduce its access to the kernel. All attached\nprograms must be evaluated before a system call will be allowed to\nproceed.\n\nFilter programs will be inherited across fork/clone and execve.\nHowever, if the task attaching the filter is unprivileged\n(!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This\nensures that unprivileged tasks cannot attach filters that affect\nprivileged tasks (e.g., setuid binary).\n\nThere are a number of benefits to this approach. A few of which are\nas follows:\n- BPF has been exposed to userland for a long time\n- BPF optimization (and JIT\u0027ing) are well understood\n- Userland already knows its ABI: system call numbers and desired\n arguments\n- No time-of-check-time-of-use vulnerable data accesses are possible.\n- system call arguments are loaded on access only to minimize copying\n required for system call policy decisions.\n\nMode 2 support is restricted to architectures that enable\nHAVE_ARCH_SECCOMP_FILTER. In this patch, the primary dependency is on\nsyscall_get_arguments(). The full desired scope of this feature will\nadd a few minor additional requirements expressed later in this series.\nBased on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be\nthe desired additional functionality.\n\nNo architectures are enabled in this patch.\n\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nReviewed-by: Indan Zupancic \u003cindan@nul.nu\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nv18: - rebase to v3.4-rc2\n - s/chk/check/ (akpm@linux-foundation.org,jmorris@namei.org)\n - allocate with GFP_KERNEL|__GFP_NOWARN (indan@nul.nu)\n - add a comment for get_u32 regarding endianness (akpm@)\n - fix other typos, style mistakes (akpm@)\n - added acked-by\nv17: - properly guard seccomp filter needed headers (leann@ubuntu.com)\n - tighten return mask to 0x7fff0000\nv16: - no change\nv15: - add a 4 instr penalty when counting a path to account for seccomp_filter\n size (indan@nul.nu)\n - drop the max insns to 256KB (indan@nul.nu)\n - return ENOMEM if the max insns limit has been hit (indan@nul.nu)\n - move IP checks after args (indan@nul.nu)\n - drop !user_filter check (indan@nul.nu)\n - only allow explicit bpf codes (indan@nul.nu)\n - exit_code -\u003e exit_sig\nv14: - put/get_seccomp_filter takes struct task_struct\n (indan@nul.nu,keescook@chromium.org)\n - adds seccomp_chk_filter and drops general bpf_run/chk_filter user\n - add seccomp_bpf_load for use by net/core/filter.c\n - lower max per-process/per-hierarchy: 1MB\n - moved nnp/capability check prior to allocation\n (all of the above: indan@nul.nu)\nv13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc\nv12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com)\n - removed copy_seccomp (keescook@chromium.org,indan@nul.nu)\n - reworded the prctl_set_seccomp comment (indan@nul.nu)\nv11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com)\n - style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu)\n - do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu)\n - pare down Kconfig doc reference.\n - extra comment clean up\nv10: - seccomp_data has changed again to be more aesthetically pleasing\n (hpa@zytor.com)\n - calling convention is noted in a new u32 field using syscall_get_arch.\n This allows for cross-calling convention tasks to use seccomp filters.\n (hpa@zytor.com)\n - lots of clean up (thanks, Indan!)\n v9: - n/a\n v8: - use bpf_chk_filter, bpf_run_filter. update load_fns\n - Lots of fixes courtesy of indan@nul.nu:\n -- fix up load behavior, compat fixups, and merge alloc code,\n -- renamed pc and dropped __packed, use bool compat.\n -- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch\n dependencies\n v7: (massive overhaul thanks to Indan, others)\n - added CONFIG_HAVE_ARCH_SECCOMP_FILTER\n - merged into seccomp.c\n - minimal seccomp_filter.h\n - no config option (part of seccomp)\n - no new prctl\n - doesn\u0027t break seccomp on systems without asm/syscall.h\n (works but arg access always fails)\n - dropped seccomp_init_task, extra free functions, ...\n - dropped the no-asm/syscall.h code paths\n - merges with network sk_run_filter and sk_chk_filter\n v6: - fix memory leak on attach compat check failure\n - require no_new_privs || CAP_SYS_ADMIN prior to filter\n installation. (luto@mit.edu)\n - s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com)\n - cleaned up Kconfig (amwang@redhat.com)\n - on block, note if the call was compat (so the # means something)\n v5: - uses syscall_get_arguments\n (indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org)\n - uses union-based arg storage with hi/lo struct to\n handle endianness. Compromises between the two alternate\n proposals to minimize extra arg shuffling and account for\n endianness assuming userspace uses offsetof().\n (mcgrathr@chromium.org, indan@nul.nu)\n - update Kconfig description\n - add include/seccomp_filter.h and add its installation\n - (naive) on-demand syscall argument loading\n - drop seccomp_t (eparis@redhat.com)\n v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS\n - now uses current-\u003eno_new_privs\n (luto@mit.edu,torvalds@linux-foundation.com)\n - assign names to seccomp modes (rdunlap@xenotime.net)\n - fix style issues (rdunlap@xenotime.net)\n - reworded Kconfig entry (rdunlap@xenotime.net)\n v3: - macros to inline (oleg@redhat.com)\n - init_task behavior fixed (oleg@redhat.com)\n - drop creator entry and extra NULL check (oleg@redhat.com)\n - alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com)\n - adds tentative use of \"always_unprivileged\" as per\n torvalds@linux-foundation.org and luto@mit.edu\n v2: - (patch 2 only)\n" }, { "commit": "85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31", "tree": "6a1f178de829d2219a65a8563e12f2c8029d4b13", "parents": [ "16c174bd95cb07c9d0ad3fcd8c70f9cea7214c9d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 14:23:05 2012 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 17 16:16:55 2012 -0500" }, "message": "seccomp: audit abnormal end to a process due to seccomp\n\nThe audit system likes to collect information about processes that end\nabnormally (SIGSEGV) as this may me useful intrusion detection information.\nThis patch adds audit support to collect information when seccomp forces a\ntask to exit because of misbehavior in a similar way.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "5b1017404aea6d2e552e991b3fd814d839e9cd67", "tree": "8af3679beab1541d8c77afe28bc261196f03c083", "parents": [ "ccbe495caa5e604b04d5a31d7459a6f6a76a756c" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Fri Feb 27 23:25:54 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 02 15:41:30 2009 -0800" }, "message": "x86-64: seccomp: fix 32/64 syscall hole\n\nOn x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with\nljmp, and then use the \"syscall\" instruction to make a 64-bit system\ncall. A 64-bit process make a 32-bit system call with int $0x80.\n\nIn both these cases under CONFIG_SECCOMP\u003dy, secure_computing() will use\nthe wrong system call number table. The fix is simple: test TS_COMPAT\ninstead of TIF_IA32. Here is an example exploit:\n\n\t/* test case for seccomp circumvention on x86-64\n\n\t There are two failure modes: compile with -m64 or compile with -m32.\n\n\t The -m64 case is the worst one, because it does \"chmod 777 .\" (could\n\t be any chmod call). The -m32 case demonstrates it was able to do\n\t stat(), which can glean information but not harm anything directly.\n\n\t A buggy kernel will let the test do something, print, and exit 1; a\n\t fixed kernel will make it exit with SIGKILL before it does anything.\n\t*/\n\n\t#define _GNU_SOURCE\n\t#include \u003cassert.h\u003e\n\t#include \u003cinttypes.h\u003e\n\t#include \u003cstdio.h\u003e\n\t#include \u003clinux/prctl.h\u003e\n\t#include \u003csys/stat.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003casm/unistd.h\u003e\n\n\tint\n\tmain (int argc, char **argv)\n\t{\n\t char buf[100];\n\t static const char dot[] \u003d \".\";\n\t long ret;\n\t unsigned st[24];\n\n\t if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) !\u003d 0)\n\t perror (\"prctl(PR_SET_SECCOMP) -- not compiled into kernel?\");\n\n\t#ifdef __x86_64__\n\t assert ((uintptr_t) dot \u003c (1UL \u003c\u003c 32));\n\t asm (\"int $0x80 # %0 \u003c- %1(%2 %3)\"\n\t : \"\u003da\" (ret) : \"0\" (15), \"b\" (dot), \"c\" (0777));\n\t ret \u003d snprintf (buf, sizeof buf,\n\t\t\t \"result %ld (check mode on .!)\\n\", ret);\n\t#elif defined __i386__\n\t asm (\".code32\\n\"\n\t \"pushl %%cs\\n\"\n\t \"pushl $2f\\n\"\n\t \"ljmpl $0x33, $1f\\n\"\n\t \".code64\\n\"\n\t \"1: syscall # %0 \u003c- %1(%2 %3)\\n\"\n\t \"lretl\\n\"\n\t \".code32\\n\"\n\t \"2:\"\n\t : \"\u003da\" (ret) : \"0\" (4), \"D\" (dot), \"S\" (\u0026st));\n\t if (ret \u003d\u003d 0)\n\t ret \u003d snprintf (buf, sizeof buf,\n\t\t\t \"stat . -\u003e st_uid\u003d%u\\n\", st[7]);\n\t else\n\t ret \u003d snprintf (buf, sizeof buf, \"result %ld\\n\", ret);\n\t#else\n\t# error \"not this one\"\n\t#endif\n\n\t write (1, buf, ret);\n\n\t syscall (__NR_exit, 1);\n\t return 2;\n\t}\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\n[ I don\u0027t know if anybody actually uses seccomp, but it\u0027s enabled in\n at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cf99abace7e07dd8491e7093a9a9ef11d48838ed", "tree": "3b7cfd7c76c2c43e6ae3fdaaff3a50a752072424", "parents": [ "1d9d02feeee89e9132034d504c9a45eeaf618a3d" ], "author": { "name": "Andrea Arcangeli", "email": "andrea@cpushare.com", "time": "Sun Jul 15 23:41:33 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:50 2007 -0700" }, "message": "make seccomp zerocost in schedule\n\nThis follows a suggestion from Chuck Ebbert on how to make seccomp\nabsolutely zerocost in schedule too. The only remaining footprint of\nseccomp is in terms of the bzImage size that becomes a few bytes (perhaps\neven a few kbytes) larger, measure it if you care in the embedded.\n\nSigned-off-by: Andrea Arcangeli \u003candrea@cpushare.com\u003e\nCc: Andi Kleen \u003cak@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1d9d02feeee89e9132034d504c9a45eeaf618a3d", "tree": "a4324cce8acd77cace3b1d4cf3a1e61783707e5c", "parents": [ "be0ef957c9eed4ebae873ee3fbcfb9dfde486dec" ], "author": { "name": "Andrea Arcangeli", "email": "andrea@cpushare.com", "time": "Sun Jul 15 23:41:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:50 2007 -0700" }, "message": "move seccomp from /proc to a prctl\n\nThis reduces the memory footprint and it enforces that only the current\ntask can enable seccomp on itself (this is a requirement for a\nstrightforward [modulo preempt ;) ] TIF_NOTSC implementation).\n\nSigned-off-by: Andrea Arcangeli \u003candrea@cpushare.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }