From patchwork Tue Nov 18 01:10:38 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 5325091 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 68115C11AC for ; Tue, 18 Nov 2014 01:14:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8A966200E7 for ; Tue, 18 Nov 2014 01:14:44 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A6BB82012B for ; Tue, 18 Nov 2014 01:14:43 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1XqXLw-00017E-9U; Tue, 18 Nov 2014 01:13:08 +0000 Received: from mail-pd0-f178.google.com ([209.85.192.178]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1XqXLJ-0000Vx-VT for linux-arm-kernel@lists.infradead.org; Tue, 18 Nov 2014 01:12:30 +0000 Received: by mail-pd0-f178.google.com with SMTP id y13so7216228pdi.9 for ; Mon, 17 Nov 2014 17:12:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mXfM00ACHV8ZpXcEco6HeM1K7v/8YsVEaupn2WnDY9M=; b=ZSZf5m4nuSRihHoFONnyd9frNFRt/gK+rxMqvRY/aomfh0RgbqCEb55mg4HbguJabU u+4f/mPR7j+8xdRbLpC+OLNipa6J52++g1ys+o018JJlwKlSPu9w2eNyJ5HwYqcMsS59 lSZMmCz7qThotVQ34wbyd98LbxmQadwA6UpUAsLUjxbC0yEirSjZRG6iVMJ8PdbKVCaR FoUIHXBGRNjosEm+kZ8lxRRaSn6fGTrDJFEtyLVUmBRozFHaHJAmWHJjw0eQPCiFNuB9 XM+YF/08L8ac3WUjVH2wnsr7tTQ1V4v1G//nZQ7olx1a1KyucLE/snyHe4wLvkfbolv4 uzhA== X-Gm-Message-State: ALoCoQkUhQAmekvu2edFyB51+3NifdsauGM14mDltwNwcqwOELIPeyqNUmFlKEw7kaJi307fb80x X-Received: by 10.68.190.42 with SMTP id gn10mr33708610pbc.69.1416273128417; Mon, 17 Nov 2014 17:12:08 -0800 (PST) Received: from localhost.localdomain (KD182249087116.au-net.ne.jp. [182.249.87.116]) by mx.google.com with ESMTPSA id cf12sm36225005pdb.77.2014.11.17.17.12.03 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 17 Nov 2014 17:12:07 -0800 (PST) From: AKASHI Takahiro To: keescook@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com Subject: [PATCH v8 6/6] arm64: add seccomp support Date: Tue, 18 Nov 2014 10:10:38 +0900 Message-Id: <1416273038-15590-7-git-send-email-takahiro.akashi@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1416273038-15590-1-git-send-email-takahiro.akashi@linaro.org> References: <1416273038-15590-1-git-send-email-takahiro.akashi@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20141117_171230_071071_21F05754 X-CRM114-Status: GOOD ( 16.62 ) X-Spam-Score: -0.7 (/) Cc: linaro-kernel@lists.linaro.org, arndb@arndb.de, linux-kernel@vger.kernel.org, AKASHI Takahiro , dsaxena@linaro.org, linux-arm-kernel@lists.infradead.org X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP secure_computing() is called first in syscall_trace_enter() so that a system call will be aborted quickly without doing succeeding syscall tracing if seccomp rules want to deny that system call. On compat task, syscall numbers for system calls allowed in seccomp mode 1 are different from those on normal tasks, and so _NR_seccomp_xxx_32's need to be redefined. Signed-off-by: AKASHI Takahiro --- arch/arm64/Kconfig | 14 ++++++++++++++ arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++ arch/arm64/include/asm/unistd.h | 3 +++ arch/arm64/kernel/ptrace.c | 5 +++++ 4 files changed, 47 insertions(+) create mode 100644 arch/arm64/include/asm/seccomp.h diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 9532f8d..f495d3c 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -37,6 +37,7 @@ config ARM64 select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_KGDB + select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK select HAVE_BPF_JIT select HAVE_C_RECORDMCOUNT @@ -345,6 +346,19 @@ config ARCH_HAS_CACHE_LINE_SIZE source "mm/Kconfig" +config SECCOMP + bool "Enable seccomp to safely compute untrusted bytecode" + ---help--- + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + config XEN_DOM0 def_bool y depends on XEN diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h new file mode 100644 index 0000000..c76fac9 --- /dev/null +++ b/arch/arm64/include/asm/seccomp.h @@ -0,0 +1,25 @@ +/* + * arch/arm64/include/asm/seccomp.h + * + * Copyright (C) 2014 Linaro Limited + * Author: AKASHI Takahiro + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef _ASM_SECCOMP_H +#define _ASM_SECCOMP_H + +#include + +#ifdef CONFIG_COMPAT +#define __NR_seccomp_read_32 __NR_compat_read +#define __NR_seccomp_write_32 __NR_compat_write +#define __NR_seccomp_exit_32 __NR_compat_exit +#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn +#endif /* CONFIG_COMPAT */ + +#include + +#endif /* _ASM_SECCOMP_H */ diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h index 6d2bf41..49c9aef 100644 --- a/arch/arm64/include/asm/unistd.h +++ b/arch/arm64/include/asm/unistd.h @@ -31,6 +31,9 @@ * Compat syscall numbers used by the AArch64 kernel. */ #define __NR_compat_restart_syscall 0 +#define __NR_compat_exit 1 +#define __NR_compat_read 3 +#define __NR_compat_write 4 #define __NR_compat_sigreturn 119 #define __NR_compat_rt_sigreturn 173 diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 34b1e85..f2554eb 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -1151,6 +1152,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) { int orig_syscallno = regs->syscallno; + /* Do the secure computing check first; failures should be fast. */ + if (secure_computing() == -1) + return -1; + if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);