| Message ID | 20201028002000.2666043-2-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] arm64: Enable seccomp architecture tracking | expand |
On Tue, Oct 27, 2020 at 05:19:59PM -0700, Kees Cook wrote: > To enable seccomp constant action bitmaps, we need to have a static > mapping to the audit architecture and system call table size. Add these > for arm64. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > arch/arm64/include/asm/seccomp.h | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h > index c36387170936..40f325e7a404 100644 > --- a/arch/arm64/include/asm/seccomp.h > +++ b/arch/arm64/include/asm/seccomp.h > @@ -19,4 +19,19 @@ > > #include <asm-generic/seccomp.h> > > +#ifdef CONFIG_ARM64 > +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_AARCH64 > +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls > +# define SECCOMP_ARCH_NATIVE_NAME "arm64" "aarch64"? (to match ELF_PLATFORM; not sure what this is used for as SECCOMP_ARCH_NATIVE_NAME is not defined in 5.10-rc3) > +# ifdef CONFIG_COMPAT > +# define SECCOMP_ARCH_COMPAT AUDIT_ARCH_ARM > +# define SECCOMP_ARCH_COMPAT_NR __NR_compat_syscalls > +# define SECCOMP_ARCH_COMPAT_NAME "arm" > +# endif > +#else /* !CONFIG_ARM64 */ > +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_ARM > +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls > +# define SECCOMP_ARCH_NATIVE_NAME "arm" > +#endif Why do we need a !CONFIG_ARM64 in an arm64 header file?
On Tue, Nov 10, 2020 at 05:26:38PM +0000, Catalin Marinas wrote: > On Tue, Oct 27, 2020 at 05:19:59PM -0700, Kees Cook wrote: > > To enable seccomp constant action bitmaps, we need to have a static > > mapping to the audit architecture and system call table size. Add these > > for arm64. > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > arch/arm64/include/asm/seccomp.h | 15 +++++++++++++++ > > 1 file changed, 15 insertions(+) > > > > diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h > > index c36387170936..40f325e7a404 100644 > > --- a/arch/arm64/include/asm/seccomp.h > > +++ b/arch/arm64/include/asm/seccomp.h > > @@ -19,4 +19,19 @@ > > > > #include <asm-generic/seccomp.h> > > > > +#ifdef CONFIG_ARM64 > > +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_AARCH64 > > +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls > > +# define SECCOMP_ARCH_NATIVE_NAME "arm64" > > "aarch64"? (to match ELF_PLATFORM; not sure what this is used for as > SECCOMP_ARCH_NATIVE_NAME is not defined in 5.10-rc3) Ah yes, I was thinking of the arch/arm64 name. :) I will fix this. > > > +# ifdef CONFIG_COMPAT > > +# define SECCOMP_ARCH_COMPAT AUDIT_ARCH_ARM > > +# define SECCOMP_ARCH_COMPAT_NR __NR_compat_syscalls > > +# define SECCOMP_ARCH_COMPAT_NAME "arm" > > +# endif > > +#else /* !CONFIG_ARM64 */ > > +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_ARM > > +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls > > +# define SECCOMP_ARCH_NATIVE_NAME "arm" > > +#endif > > Why do we need a !CONFIG_ARM64 in an arm64 header file? Heh, again, sorry -- I'm so used to the 32/64 being combined as I did the other architectures. I'll fix this too. Thanks!
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h index c36387170936..40f325e7a404 100644 --- a/arch/arm64/include/asm/seccomp.h +++ b/arch/arm64/include/asm/seccomp.h @@ -19,4 +19,19 @@ #include <asm-generic/seccomp.h> +#ifdef CONFIG_ARM64 +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_AARCH64 +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls +# define SECCOMP_ARCH_NATIVE_NAME "arm64" +# ifdef CONFIG_COMPAT +# define SECCOMP_ARCH_COMPAT AUDIT_ARCH_ARM +# define SECCOMP_ARCH_COMPAT_NR __NR_compat_syscalls +# define SECCOMP_ARCH_COMPAT_NAME "arm" +# endif +#else /* !CONFIG_ARM64 */ +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_ARM +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls +# define SECCOMP_ARCH_NATIVE_NAME "arm" +#endif + #endif /* _ASM_SECCOMP_H */
To enable seccomp constant action bitmaps, we need to have a static mapping to the audit architecture and system call table size. Add these for arm64. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm64/include/asm/seccomp.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+)