[Precise][Pull Request] SECCOMP mode 2, BPF
Kees Cook
kees at ubuntu.com
Wed Mar 21 19:18:04 UTC 2012
The following changes since commit b0c18ca93ec9fec352594a5a1ab16c3aec131f96:
Leann Ogasawara (1):
UBUNTU: Ubuntu-3.2.0-19.31
are available in the git repository at:
git://github.com/kees/linux.git ubuntu-precise
Andy Lutomirski (1):
UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Eric Paris (1):
seccomp: audit abnormal end to a process due to seccomp
John Johansen (1):
UBUNTU: SAUCE: SECCOMP: Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS
Kees Cook (2):
UBUNTU: SAUCE: SECCOMP: seccomp: remove duplicated failure logging
UBUNTU: [Config] SECCOMP_FILTER=y
Will Drewry (12):
UBUNTU: SAUCE: SECCOMP: sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
UBUNTU: SAUCE: SECCOMP: net/compat.c,linux/filter.h: share compat_sock_fprog
UBUNTU: SAUCE: SECCOMP: seccomp: kill the seccomp_t typedef
UBUNTU: SAUCE: SECCOMP: arch/x86: add syscall_get_arch to syscall.h
UBUNTU: SAUCE: SECCOMP: asm/syscall.h: add syscall_get_arch
UBUNTU: SAUCE: SECCOMP: seccomp: add system call filtering using BPF
UBUNTU: SAUCE: SECCOMP: seccomp: add SECCOMP_RET_ERRNO
UBUNTU: SAUCE: SECCOMP: signal, x86: add SIGSYS info and make it synchronous.
UBUNTU: SAUCE: SECCOMP: seccomp: Add SECCOMP_RET_TRAP
UBUNTU: SAUCE: SECCOMP: ptrace,seccomp: Add PTRACE_SECCOMP support
UBUNTU: SAUCE: SECCOMP: x86: Enable HAVE_ARCH_SECCOMP_FILTER
UBUNTU: SAUCE: SECCOMP: Documentation: prctl/seccomp_filter
Documentation/prctl/seccomp_filter.txt | 156 +++++++++
arch/Kconfig | 24 ++
arch/x86/Kconfig | 1 +
arch/x86/ia32/ia32_signal.c | 4 +
arch/x86/include/asm/ia32.h | 6 +
arch/x86/include/asm/syscall.h | 23 ++
arch/x86/kernel/ptrace.c | 7 +-
debian.master/config/amd64/config.common.amd64 | 1 +
debian.master/config/enforce | 2 +-
debian.master/config/i386/config.common.i386 | 1 +
fs/exec.c | 10 +-
include/asm-generic/siginfo.h | 22 ++
include/asm-generic/syscall.h | 14 +
include/linux/Kbuild | 1 +
include/linux/audit.h | 8 +
include/linux/filter.h | 12 +
include/linux/prctl.h | 15 +
include/linux/ptrace.h | 7 +-
include/linux/sched.h | 4 +-
include/linux/seccomp.h | 105 +++++-
include/linux/security.h | 1 +
kernel/auditsc.c | 58 ++--
kernel/fork.c | 3 +
kernel/ptrace.c | 3 +
kernel/seccomp.c | 446 +++++++++++++++++++++++-
kernel/signal.c | 9 +-
kernel/sys.c | 12 +-
net/compat.c | 8 -
net/core/filter.c | 6 +
samples/Makefile | 2 +-
samples/seccomp/Makefile | 38 ++
samples/seccomp/bpf-direct.c | 176 ++++++++++
samples/seccomp/bpf-fancy.c | 102 ++++++
samples/seccomp/bpf-helper.c | 89 +++++
samples/seccomp/bpf-helper.h | 238 +++++++++++++
samples/seccomp/dropper.c | 68 ++++
security/apparmor/domain.c | 35 ++
security/commoncap.c | 7 +-
security/selinux/hooks.c | 10 +-
39 files changed, 1660 insertions(+), 74 deletions(-)
create mode 100644 Documentation/prctl/seccomp_filter.txt
create mode 100644 samples/seccomp/Makefile
create mode 100644 samples/seccomp/bpf-direct.c
create mode 100644 samples/seccomp/bpf-fancy.c
create mode 100644 samples/seccomp/bpf-helper.c
create mode 100644 samples/seccomp/bpf-helper.h
create mode 100644 samples/seccomp/dropper.c
--
Kees Cook
More information about the kernel-team
mailing list