[Trusty][pull-request v2] LP: #1379020 (seccomp tsync)

Luis Henriques luis.henriques at canonical.com
Tue Oct 21 10:21:18 UTC 2014


On Mon, Oct 20, 2014 at 11:49:39AM -0700, Kees Cook wrote:
> Hi!
> 
> This is to backport the seccomp thread-sync (and syscall) interface from
> 3.17. There was some backporting needed in a few areas, as marked in
> []s before my SoB in the series. The most notable is skipping various
> new syscalls (which are wired to sys_ni_syscall).
> 
> This has been tested against the seccomp regression test suite on
> x86_64. I don't have a working Ubuntu ARM test environment, so that
> is presently untested. The series is, however, based on the Chrome OS
> backport to 3.14, which builds and works on ARM. In theory it should be
> fine on Ubuntu too! :)
> 
> This v2 fixes the ARM syscall count. (Specifically in
> arch/arm/include/asm/unistd.h from "ARM: add seccomp syscall")
> 

Thanks for fixing this, Kees.

I only see a minor issue now: commit 8b4abf496654 ("ARM: add seccomp
syscall") adds an entry to debian.master/changelog, which shouldn't
happen.

I'm also not sure we really care about commit e2357ea70fdd ("MIPS:
add seccomp syscall"), but since it is contained to the arch/mips/
directory, it's probably not an issue.

Cheers,
--
Luís

> Thanks!
> 
> -Kees
> 
> The following changes since commit 2d22fc7acd4f91209e5de492baceb84d8836e18c:
> 
>   UBUNTU: Ubuntu-3.13.0-38.65 (2014-10-09 10:32:10 +0100)
> 
> are available in the git repository at:
> 
>   https://github.com/kees/linux.git ubuntu-trusty
> 
> for you to fetch changes up to 665973e5b5459c9f0c8d9dd7934a4678713ac618:
> 
>   seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock (2014-10-20 11:38:55 -0700)
> 
> ----------------------------------------------------------------
> Guenter Roeck (1):
>       seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock
> 
> Kees Cook (11):
>       seccomp: create internal mode-setting function
>       seccomp: extract check/assign mode helpers
>       seccomp: split mode setting routines
>       seccomp: add "seccomp" syscall 
>       ARM: add seccomp syscall
>       MIPS: add seccomp syscall
>       sched: move no_new_privs into new atomic flags
>       seccomp: split filter prep from check and apply
>       seccomp: introduce writer locking
>       seccomp: allow mode setting across threads
>       seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
> 
> Rashika Kheria (1):
>       UPSTREAM: kernel: Mark function as static in kernel/seccomp.c
> 
> Will Deacon (1):
>       ARM: 8087/1: ptrace: reload syscall number after secure_computing() check
> 
>  arch/Kconfig                        |   1 +
>  arch/arm/include/asm/unistd.h       |   2 +-
>  arch/arm/include/uapi/asm/unistd.h  |   4 +
>  arch/arm/kernel/calls.S             |   4 +
>  arch/arm/kernel/ptrace.c            |   7 +-
>  arch/mips/include/uapi/asm/unistd.h |  24 ++-
>  arch/mips/kernel/scall32-o32.S      |   4 +
>  arch/mips/kernel/scall64-64.S       |   4 +
>  arch/mips/kernel/scall64-n32.S      |   4 +
>  arch/mips/kernel/scall64-o32.S      |   4 +
>  arch/x86/syscalls/syscall_32.tbl    |   4 +
>  arch/x86/syscalls/syscall_64.tbl    |   4 +
>  debian.master/changelog             |  10 +-
>  fs/exec.c                           |   6 +-
>  include/linux/sched.h               |  18 +-
>  include/linux/seccomp.h             |   8 +-
>  include/linux/syscalls.h            |   2 +
>  include/uapi/asm-generic/unistd.h   |  10 +-
>  include/uapi/linux/seccomp.h        |   7 +
>  kernel/fork.c                       |  49 ++++-
>  kernel/seccomp.c                    | 412 +++++++++++++++++++++++++++++++-----
>  kernel/sys.c                        |   4 +-
>  kernel/sys_ni.c                     |   3 +
>  security/apparmor/domain.c          |   4 +-
>  24 files changed, 515 insertions(+), 84 deletions(-)
> 
> 
> > 
> > The following changes since commit 5a08fea5398ad558f2b2ee884ff93ddf6c34108a:
> > 
> >   UBUNTU: Ubuntu-3.13.0-37.64 (2014-09-22 15:51:48 -0400)
> > 
> > are available in the git repository at:
> > 
> >   git at github.com:kees/linux.git ubuntu-trusty
> > 
> > for you to fetch changes up to 0e61aac09d3c46fcddd3ee4dfa625d5e541ecea4:
> > 
> >   seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock (2014-10-08 13:57:11 -0700)
> > 
> > ----------------------------------------------------------------
> > Guenter Roeck (1):
> >       seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock
> > 
> > Kees Cook (11):
> >       seccomp: create internal mode-setting function
> >       seccomp: extract check/assign mode helpers
> >       seccomp: split mode setting routines
> >       seccomp: add "seccomp" syscall
> >       ARM: add seccomp syscall
> >       MIPS: add seccomp syscall
> >       sched: move no_new_privs into new atomic flags
> >       seccomp: split filter prep from check and apply
> >       seccomp: introduce writer locking
> >       seccomp: allow mode setting across threads
> >       seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
> > 
> > Rashika Kheria (1):
> >       UPSTREAM: kernel: Mark function as static in kernel/seccomp.c
> > 
> > Will Deacon (1):
> >       ARM: 8087/1: ptrace: reload syscall number after secure_computing() check
> > 
> >  arch/Kconfig                        |   1 +
> >  arch/arm/include/uapi/asm/unistd.h  |   4 +
> >  arch/arm/kernel/calls.S             |   4 +
> >  arch/arm/kernel/ptrace.c            |   7 +-
> >  arch/mips/include/uapi/asm/unistd.h |  24 +++-
> >  arch/mips/kernel/scall32-o32.S      |   4 +
> >  arch/mips/kernel/scall64-64.S       |   4 +
> >  arch/mips/kernel/scall64-n32.S      |   4 +
> >  arch/mips/kernel/scall64-o32.S      |   4 +
> >  arch/x86/syscalls/syscall_32.tbl    |   4 +
> >  arch/x86/syscalls/syscall_64.tbl    |   4 +
> >  fs/exec.c                           |   6 +-
> >  include/linux/sched.h               |  18 ++-
> >  include/linux/seccomp.h             |   8 +-
> >  include/linux/syscalls.h            |   2 +
> >  include/uapi/asm-generic/unistd.h   |  10 +-
> >  include/uapi/linux/seccomp.h        |   7 +
> >  kernel/fork.c                       |  49 ++++++-
> >  kernel/seccomp.c                    | 412 ++++++++++++++++++++++++++++++++++++++++++++++++--------
> >  kernel/sys.c                        |   4 +-
> >  kernel/sys_ni.c                     |   3 +
> >  security/apparmor/domain.c          |   4 +-
> >  22 files changed, 505 insertions(+), 82 deletions(-)
> > 
> > 
> > -- 
> > Kees Cook
> -- 
> Kees Cook




More information about the kernel-team mailing list