[SRU][Mako][Wily] seccomp filters backport
Kyle Fazzari
kyle.fazzari at canonical.com
Wed Oct 28 12:42:20 UTC 2015
The following changes since commit cf71ede1c3ac332df94b042552bb3a5d81e4e8ee:
UBUNTU: Ubuntu-mako-3.4.0-7.39 (2015-09-03 12:03:42 -0600)
are available in the git repository at:
git://kernel.ubuntu.com/kyrofa/ubuntu-wily.git backport_seccomp_filters
for you to fetch changes up to 021128000a2fcf60fc2842979d6697e1e7564a4e:
UBUNTU: SAUCE: Enable SECCOMP_FILTER on mako. (2015-10-27 18:27:18 +0000)
----------------------------------------------------------------
Andy Lutomirski (1):
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
John Johansen (1):
Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
Kees Cook (3):
seccomp: remove duplicated failure logging
ARM: 7578/1: arch/move secure_computing into trace
ARM: 7579/1: arch/allow a scno of -1 to not cause a SIGILL
Kyle Fazzari (4):
UBUNTU: SAUCE: Remove fake no_new_privs.
UBUNTU: SAUCE: Make sure userspace sees an ENOSYS for no tracer.
UBUNTU: SAUCE: Add seccomp selftests.
UBUNTU: SAUCE: Enable SECCOMP_FILTER on mako.
Stephen Rothwell (1):
seccomp: use a static inline for a function stub
Wade Farnsworth (2):
ARM: 7373/1: add support for the generic syscall.h interface
ARM: 7374/1: add TRACEHOOK support
Will Deacon (1):
ARM: 7456/1: ptrace: provide separate functions for tracing
syscall {entry,exit}
Will Drewry (17):
sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
net/compat.c,linux/filter.h: share compat_sock_fprog
seccomp: kill the seccomp_t typedef
asm/syscall.h: add syscall_get_arch
arch/x86: add syscall_get_arch to syscall.h
seccomp: add system call filtering using BPF
seccomp: add SECCOMP_RET_ERRNO
signal, x86: add SIGSYS info and make it synchronous.
seccomp: Add SECCOMP_RET_TRAP
ptrace,seccomp: Add PTRACE_SECCOMP support
x86: Enable HAVE_ARCH_SECCOMP_FILTER
Documentation: prctl/seccomp_filter
seccomp: ignore secure_computing return values
seccomp: fix build warnings when there is no CONFIG_SECCOMP_FILTER
samples/seccomp: fix dependencies on arch macros
ARM: 7577/1: arch/add syscall_get_arch
ARM: 7580/1: arch/select HAVE_ARCH_SECCOMP_FILTER
Documentation/prctl/seccomp_filter.txt | 163 +++++++++
arch/Kconfig | 23 ++
arch/arm/Kconfig | 2 +
arch/arm/include/asm/ptrace.h | 5 +
arch/arm/include/asm/syscall.h | 102 ++++++
arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/kernel/entry-common.S | 35 +-
arch/arm/kernel/ptrace.c | 72 ++--
arch/arm/kernel/signal.c | 2 +
arch/microblaze/kernel/ptrace.c | 2 +-
arch/mips/kernel/ptrace.c | 2 +-
arch/powerpc/kernel/ptrace.c | 2 +-
arch/s390/kernel/ptrace.c | 2 +-
arch/sh/kernel/ptrace_32.c | 2 +-
arch/sh/kernel/ptrace_64.c | 2 +-
arch/sparc/kernel/ptrace_64.c | 2 +-
arch/x86/Kconfig | 1 +
arch/x86/ia32/ia32_signal.c | 4 +
arch/x86/include/asm/ia32.h | 6 +
arch/x86/include/asm/syscall.h | 27 ++
arch/x86/kernel/ptrace.c | 7 +-
debian.mako/config/config.common.ubuntu | 2 +
fs/exec.c | 10 +-
include/asm-generic/siginfo.h | 22 ++
include/asm-generic/syscall.h | 14 +
include/linux/Kbuild | 1 +
include/linux/audit.h | 8 +-
include/linux/filter.h | 12 +
include/linux/prctl.h | 15 +
include/linux/ptrace.h | 5 +-
include/linux/sched.h | 4 +-
include/linux/seccomp.h | 107 +++++-
include/linux/security.h | 1 +
kernel/auditsc.c | 8 +-
kernel/fork.c | 3 +
kernel/seccomp.c | 462
++++++++++++++++++++++++--
kernel/signal.c | 9 +-
kernel/sys.c | 12 +-
net/compat.c | 8 -
net/core/filter.c | 6 +
samples/Makefile | 2 +-
samples/seccomp/Makefile | 32 ++
samples/seccomp/bpf-direct.c | 190 +++++++++++
samples/seccomp/bpf-fancy.c | 102 ++++++
samples/seccomp/bpf-helper.c | 89 +++++
samples/seccomp/bpf-helper.h | 238 +++++++++++++
samples/seccomp/dropper.c | 68 ++++
security/apparmor/include/backport.h | 7 -
security/commoncap.c | 7 +-
security/selinux/hooks.c | 10 +-
tools/testing/selftests/seccomp/.gitignore | 1 +
tools/testing/selftests/seccomp/Makefile | 11 +
tools/testing/selftests/seccomp/seccomp_bpf.c | 861
++++++++++++++++++++++++++++++++++++++++++++++++
tools/testing/selftests/seccomp/test_harness.h | 537
++++++++++++++++++++++++++++++
54 files changed, 3207 insertions(+), 126 deletions(-)
create mode 100644 Documentation/prctl/seccomp_filter.txt
create mode 100644 arch/arm/include/asm/syscall.h
create mode 100644 samples/seccomp/Makefile
create mode 100644 samples/seccomp/bpf-direct.c
create mode 100644 samples/seccomp/bpf-fancy.c
create mode 100644 samples/seccomp/bpf-helper.c
create mode 100644 samples/seccomp/bpf-helper.h
create mode 100644 samples/seccomp/dropper.c
create mode 100644 tools/testing/selftests/seccomp/.gitignore
create mode 100644 tools/testing/selftests/seccomp/Makefile
create mode 100644 tools/testing/selftests/seccomp/seccomp_bpf.c
create mode 100644 tools/testing/selftests/seccomp/test_harness.h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20151028/ac77f8ba/attachment.sig>
More information about the kernel-team
mailing list