[Precise][SRU][PATCH] UBUNTU: SAUCE: backport ARM seccomp-bpf support

Andy Whitcroft apw at canonical.com
Sun Nov 10 13:58:38 UTC 2013


On Thu, Nov 07, 2013 at 09:21:40AM -0800, Kees Cook wrote:

> Sure! I actually already added that to the bug[1] report, since that
> seemed the right place to collect the SRU details. Repeating it here
> for good measure:
> 
> [Test Case]
> git clone https://github.com/redpig/seccomp.git
> cd seccomp/tests
> make
> ./seccomp_bpf_tests
> All tests should pass
> 
> > Could you confirm that this should not affect operations but is mostly
> > fixing up holes that might be exploitable.
> 
> It does not change x86 operation, and does not fix exploitable holes.
> It simply makes seccomp-bpf available at all on ARM. Before this
> patch, seccomp-bpf couldn't be used on ARM. The driving motivation
> here is to get Chrome on ARM on Precise making use of its full
> sandboxing capabilities.
> 
> > Otherwise I assume what this does is bring what is in Precise up to the
> > same level as mainline, allowing us to guarentee that more modern
> > consumers of this interface will work consistantly on all releases back
> > to Precice.
> 
> Correct -- in the core seccomp, it fixes 1 extremely minor difference
> between Precise and mainline (the action masks), but that change has
> no behavioral difference for "real" seccomp filters, and the old
> situation posed no risk to the system for a "bad" seccomp filter. It
> was simply noticed during the much more strict test case execution.
> 
> Besides that, it just wires up everything that is required on ARM to
> call into seccomp correctly.
> 
> -Kees
> 
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1183616

Thanks for all those juicy details.  Just what I was trying to
understand.

-apw




More information about the kernel-team mailing list