Re: [PATCH v4 2/2] ptrace, seccomp: add support for retrieving seccomp metadata

Tycho Andersen Tue, 20 Feb 2018 18:51:07 -0800

On Tue, Feb 20, 2018 at 09:13:28PM +0100, Eugene Syromiatnikov wrote:
> On Tue, Nov 14, 2017 at 07:00:19PM -0700, Tycho Andersen wrote:
> > With the new SECCOMP_FILTER_FLAG_LOG, we need to be able to extract these
> > flags for checkpoint restore, since they describe the state of a filter.
> > 
> > So, let's add PTRACE_SECCOMP_GET_METADATA, similar to ..._GET_FILTER, which
> > returns the metadata of the nth filter (right now, just the flags).
> > Hopefully this will be future proof, and new per-filter metadata can be
> > added to this struct.
> > 
> > v3: * use GET_METADATA instead of GET_FLAGS
> > v4: * resend
> > 
> > Signed-off-by: Tycho Andersen <ty...@tycho.ws>
> > CC: Kees Cook <keesc...@chromium.org>
> > CC: Andy Lutomirski <l...@amacapital.net>
> > CC: Oleg Nesterov <o...@redhat.com>
> > ---
> >  include/linux/seccomp.h     |  8 ++++++++
> >  include/uapi/linux/ptrace.h |  6 ++++++
> >  kernel/ptrace.c             |  4 ++++
> >  kernel/seccomp.c            | 34 ++++++++++++++++++++++++++++++++++
> >  4 files changed, 52 insertions(+)
> > 
> > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> > index 10f25f7e4304..c723a5c4e3ff 100644
> > --- a/include/linux/seccomp.h
> > +++ b/include/linux/seccomp.h
> > @@ -95,11 +95,19 @@ static inline void get_seccomp_filter(struct 
> > task_struct *tsk)
> >  #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
> >  extern long seccomp_get_filter(struct task_struct *task,
> >                            unsigned long filter_off, void __user *data);
> > +extern long seccomp_get_metadata(struct task_struct *task,
> > +                            unsigned long filter_off, void __user *data);
> >  #else
> >  static inline long seccomp_get_filter(struct task_struct *task,
> >                                   unsigned long n, void __user *data)
> >  {
> >     return -EINVAL;
> >  }
> > +static inline long seccomp_get_metadata(struct task_struct *task,
> > +                                   unsigned long filter_off,
> > +                                   void __user *data)
> > +{
> > +   return -EINVAL;
> > +}
> >  #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
> >  #endif /* _LINUX_SECCOMP_H */
> > diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
> > index e3939e00980b..e46d82b91166 100644
> > --- a/include/uapi/linux/ptrace.h
> > +++ b/include/uapi/linux/ptrace.h
> > @@ -66,6 +66,12 @@ struct ptrace_peeksiginfo_args {
> >  #define PTRACE_SETSIGMASK  0x420b
> >  
> >  #define PTRACE_SECCOMP_GET_FILTER  0x420c
> > +#define PTRACE_SECCOMP_GET_METADATA        0x420d
> > +
> > +struct seccomp_metadata {
> > +   unsigned long filter_off;       /* Input: which filter */
> > +   unsigned int flags;             /* Output: filter's flags */
> > +};
> >  
> >  /* Read signals from a shared (process wide) queue */
> >  #define PTRACE_PEEKSIGINFO_SHARED  (1 << 0)
> > diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> > index 84b1367935e4..58291e9f3276 100644
> > --- a/kernel/ptrace.c
> > +++ b/kernel/ptrace.c
> > @@ -1092,6 +1092,10 @@ int ptrace_request(struct task_struct *child, long 
> > request,
> >             ret = seccomp_get_filter(child, addr, datavp);
> >             break;
> >  
> > +   case PTRACE_SECCOMP_GET_METADATA:
> > +           ret = seccomp_get_metadata(child, addr, datavp);
> > +           break;
> > +
> >     default:
> >             break;
> >     }
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index bad457862ee0..7f1f2f3ea549 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -1061,6 +1061,40 @@ long seccomp_get_filter(struct task_struct *task, 
> > unsigned long filter_off,
> >     __put_seccomp_filter(filter);
> >     return ret;
> >  }
> > +
> > +long seccomp_get_metadata(struct task_struct *task,
> > +                     unsigned long size, void __user *data)
> > +{
> > +   long ret;
> > +   struct seccomp_filter *filter;
> > +   struct seccomp_metadata kmd = {};
> > +
> > +   if (!capable(CAP_SYS_ADMIN) ||
> > +       current->seccomp.mode != SECCOMP_MODE_DISABLED) {
> > +           return -EACCES;
> > +   }
> > +
> 
> > +   size = min_t(unsigned long, size, sizeof(kmd));
> > +
> > +   if (copy_from_user(&kmd, data, size))
> > +           return -EFAULT;
> 
> This will work kinda funny if size is less than sizeof(kmd.filter_off).
> And I see no reason for copying the whole structure when only filter_off
> is needed.


Yes, agreed. EINVAL seems better.

> > +
> > +   filter = get_nth_filter(task, kmd.filter_off);
> > +   if (IS_ERR(filter))
> > +           return PTR_ERR(filter);
> > +
> > +   memset(&kmd, 0, sizeof(kmd));
> 
> Is rewriting the filter_off field to 0 intentional?

It "shouldn't" matter, but it's probably better not to; I've fixed it
in https://lkml.org/lkml/2018/2/20/755

Thanks!

Tycho

Re: [PATCH v4 2/2] ptrace, seccomp: add support for retrieving seccomp metadata

Reply via email to