[Precise][SRU][PATCH] UBUNTU: SAUCE: backport ARM seccomp-bpf support
Andy Whitcroft
apw at canonical.com
Sun Nov 10 13:58:38 UTC 2013
On Thu, Nov 07, 2013 at 09:21:40AM -0800, Kees Cook wrote:
> Sure! I actually already added that to the bug[1] report, since that
> seemed the right place to collect the SRU details. Repeating it here
> for good measure:
>
> [Test Case]
> git clone https://github.com/redpig/seccomp.git
> cd seccomp/tests
> make
> ./seccomp_bpf_tests
> All tests should pass
>
> > Could you confirm that this should not affect operations but is mostly
> > fixing up holes that might be exploitable.
>
> It does not change x86 operation, and does not fix exploitable holes.
> It simply makes seccomp-bpf available at all on ARM. Before this
> patch, seccomp-bpf couldn't be used on ARM. The driving motivation
> here is to get Chrome on ARM on Precise making use of its full
> sandboxing capabilities.
>
> > Otherwise I assume what this does is bring what is in Precise up to the
> > same level as mainline, allowing us to guarentee that more modern
> > consumers of this interface will work consistantly on all releases back
> > to Precice.
>
> Correct -- in the core seccomp, it fixes 1 extremely minor difference
> between Precise and mainline (the action masks), but that change has
> no behavioral difference for "real" seccomp filters, and the old
> situation posed no risk to the system for a "bad" seccomp filter. It
> was simply noticed during the much more strict test case execution.
>
> Besides that, it just wires up everything that is required on ARM to
> call into seccomp correctly.
>
> -Kees
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1183616
Thanks for all those juicy details. Just what I was trying to
understand.
-apw
More information about the kernel-team
mailing list