[Trusty][pull-request v3] LP: #1379020 (seccomp tsync)

Kees Cook kees at ubuntu.com
Tue Oct 21 15:46:14 UTC 2014 

Hi!

This is to backport the seccomp thread-sync (and syscall) interface from
3.17. There was some backporting needed in a few areas, as marked in
[]s before my SoB in the series. The most notable is skipping various
new syscalls (which are wired to sys_ni_syscall).

This has been tested against the seccomp regression test suite on
x86_64. I don't have a working Ubuntu ARM test environment, so that
is presently untested. The series is, however, based on the Chrome OS
backport to 3.14, which builds and works on ARM. In theory it should be
fine on Ubuntu too! :)

v3:
- drops accidentally-added chnagelog entry.
v2:
- fixes the ARM syscall count. (Specifically in
  arch/arm/include/asm/unistd.h from "ARM: add seccomp syscall").

Thanks!

-Kees

The following changes since commit 2d22fc7acd4f91209e5de492baceb84d8836e18c:

  UBUNTU: Ubuntu-3.13.0-38.65 (2014-10-09 10:32:10 +0100)

are available in the git repository at:

  https://github.com/kees/linux.git ubuntu-trusty

for you to fetch changes up to 0a0b87f3ab53e2267f47791f81ce0313b5e9d546:

  seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock (2014-10-21 08:39:43 -0700)

----------------------------------------------------------------
Guenter Roeck (1):
      seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock

Kees Cook (11):
      seccomp: create internal mode-setting function
      seccomp: extract check/assign mode helpers
      seccomp: split mode setting routines
      seccomp: add "seccomp" syscall
      ARM: add seccomp syscall
      MIPS: add seccomp syscall
      sched: move no_new_privs into new atomic flags
      seccomp: split filter prep from check and apply
      seccomp: introduce writer locking
      seccomp: allow mode setting across threads
      seccomp: implement SECCOMP_FILTER_FLAG_TSYNC

Rashika Kheria (1):
      UPSTREAM: kernel: Mark function as static in kernel/seccomp.c

Will Deacon (1):
      ARM: 8087/1: ptrace: reload syscall number after secure_computing() check

 arch/Kconfig                        |   1 +
 arch/arm/include/asm/unistd.h       |   2 +-
 arch/arm/include/uapi/asm/unistd.h  |   4 +
 arch/arm/kernel/calls.S             |   4 +
 arch/arm/kernel/ptrace.c            |   7 +-
 arch/mips/include/uapi/asm/unistd.h |  24 +++-
 arch/mips/kernel/scall32-o32.S      |   4 +
 arch/mips/kernel/scall64-64.S       |   4 +
 arch/mips/kernel/scall64-n32.S      |   4 +
 arch/mips/kernel/scall64-o32.S      |   4 +
 arch/x86/syscalls/syscall_32.tbl    |   4 +
 arch/x86/syscalls/syscall_64.tbl    |   4 +
 fs/exec.c                           |   6 +-
 include/linux/sched.h               |  18 ++-
 include/linux/seccomp.h             |   8 +-
 include/linux/syscalls.h            |   2 +
 include/uapi/asm-generic/unistd.h   |  10 +-
 include/uapi/linux/seccomp.h        |   7 +
 kernel/fork.c                       |  49 ++++++-
 kernel/seccomp.c                    | 412 +++++++++++++++++++++++++++++++++++++++++++++++++--------
 kernel/sys.c                        |   4 +-
 kernel/sys_ni.c                     |   3 +
 security/apparmor/domain.c          |   4 +-
 23 files changed, 506 insertions(+), 83 deletions(-)

-- 
Kees Cook

More information about the kernel-team mailing list