On Wed, Mar 14, 2018 at 09:46:07AM +0200, Nikolay Borisov wrote:
>
>
> On 14.03.2018 05:10, Tycho Andersen wrote:
> > Hi all,
> >
> > I'm getting the WARN below. I think (?) what I'm doing when I get it
> > is that I'm unmounting a subvolume whi
ize the additions to
struct seccomp_filter, also pack the necessary additions a bit more
cleverly (Tyler)
* switch to keeping track of the task itself instead of the pid (we'll
use this for implementing PUT_FD)
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lut
rning when
only CONFIG_SECCOMP_FILTER is enabled.
v7: drop USER_NOTIFICATION bits
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
kerne
.
v5: new in v5
v7: updates for v7 API changes
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
samples/seccomp/.gitignore | 1 +
sampl
Similar to fd_install/__fd_install, we want to be able to replace an fd of
an arbitrary struct files_struct, not just current's. We'll use this in the
next patch to implement the seccomp ioctl that allows inserting fds into a
stopped process' context.
v7: new in v7
Signed-off-by:
its own struct notification,
which is pointed to by struct seccomp_filter. This will save a lot of
memory (thanks Tyler!)
v6 discussion: https://lkml.org/lkml/2018/9/6/769
Thoughts welcome,
Tycho
Tycho Andersen (6):
seccomp: add a return code to trap to userspace
seccomp: make get_nth_f
unting bug (Oleg)
v4: * change the listener's fd flags to be 0
* rename GET_LISTENER to NEW_LISTENER (Matthew)
v5: * add capable(CAP_SYS_ADMIN) requirement
v7: * point the new listener at the right filter (Jann)
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Neste
o the
core functionality can still be merged while we argue about this. Except
this time it doesn't add any ugliness to the API :)
v7: new in v7
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Chr
On Thu, Sep 27, 2018 at 06:20:23PM +0200, Jann Horn wrote:
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least two reasons
> &g
On Thu, Sep 27, 2018 at 06:49:02PM +0200, Jann Horn wrote:
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > Similar to fd_install/__fd_install, we want to be able to replace an fd of
> > an arbitrary struct files_struct, not just current's. We'll use this
On Thu, Sep 27, 2018 at 07:35:06PM +0200, Jann Horn wrote:
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> >
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least tw
On Thu, Sep 27, 2018 at 06:39:02PM +0200, Jann Horn wrote:
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > This patch adds a way to insert FDs into the tracee's process (also
> > close/overwrite fds for the tracee). This functionality is necessary to
> > m
On Thu, Sep 27, 2018 at 09:28:07PM +0200, Jann Horn wrote:
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > This patch adds a way to insert FDs into the tracee's process (also
> > close/overwrite fds for the tracee). This functionality is necessary to
> > m
On Thu, Sep 27, 2018 at 03:09:06PM -0700, Kees Cook wrote:
> On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote:
> > This patch adds a way to insert FDs into the tracee's process (also
> > close/overwrite fds for the tracee). This functionality is necessary to
> > m
On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote:
> On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote:
> > This patch introduces a means for syscalls matched in seccomp to notify
> > some other task that a particular filter has been triggered.
> >
> >
On Fri, Sep 28, 2018 at 12:17:07AM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 12:14 AM Tycho Andersen wrote:
> > On Thu, Sep 27, 2018 at 09:28:07PM +0200, Jann Horn wrote:
> > > On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > > > This patch add
ugh all of v7 now, apart from the
> test/sample code. So don't wait for more comments from me before
> sending out v8.
(assuming you meant v8 -> v9) yes thanks for your reviews! Much
appreciated.
> On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> > This patch introd
On Thu, Sep 27, 2018 at 03:45:11PM -0700, Kees Cook wrote:
> On Thu, Sep 27, 2018 at 2:51 PM, Jann Horn wrote:
> > On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote:
> >> However, care should be taken to avoid the TOCTOU
> >> +mentioned above in this document: al
On Thu, Sep 27, 2018 at 07:20:50PM -0700, Kees Cook wrote:
> On Thu, Sep 27, 2018 at 2:59 PM, Kees Cook wrote:
> > On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote:
> >> Similar to fd_install/__fd_install, we want to be able to replace an fd of
> >> an arbitra
On Thu, Sep 27, 2018 at 04:10:29PM -0700, Kees Cook wrote:
> On Thu, Sep 27, 2018 at 3:48 PM, Tycho Andersen wrote:
> > On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote:
> >> On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote:
> >> struct seccomp
As Jann pointed out in another thread, ptrace_requiest() returns an int, so
it makes sense for seccomp_get_metdata() to return an int as well. The
return type of seccomp_get_metadata() is bounded by sizeof(kmd), so this
conversion is safe.
Signed-off-by: Tycho Andersen
Reported-by: Jann Horn
CC
As Jann pointed out in another thread, ptrace_requiest() returns an int, so
it makes sense for seccomp_get_filter() to return an int as well. The
return type of seccomp_get_filter() is bounded by the BPF_MAXINSNS check in
seccomp_prepare_filter(), so this conversion is safe.
Signed-off-by: Tycho
As Jann pointed out, there is a race between SECCOMP_FILTER_FLAG_TSYNC and
the ptrace code that can inspect a filter of another process. Let's
introduce read locking into the two ptrace accesses so that we don't race.
Signed-off-by: Tycho Andersen
Reported-by: Jann Horn
CC: Kees Cook
On Fri, Sep 28, 2018 at 10:33:34PM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 5:47 PM Tycho Andersen wrote:
> > As Jann pointed out, there is a race between SECCOMP_FILTER_FLAG_TSYNC and
> > the ptrace code that can inspect a filter of another process. Let's
> > i
On Fri, Sep 28, 2018 at 11:10:48PM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 10:56 PM Tycho Andersen wrote:
> >
> > On Fri, Sep 28, 2018 at 10:33:34PM +0200, Jann Horn wrote:
> > > On Fri, Sep 28, 2018 at 5:47 PM Tycho Andersen wrote:
> > > > As Jann
On Fri, Sep 28, 2018 at 11:54:22PM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 11:36 PM Tycho Andersen wrote:
> > On Fri, Sep 28, 2018 at 11:10:48PM +0200, Jann Horn wrote:
> > > On Fri, Sep 28, 2018 at 10:56 PM Tycho Andersen wrote:
> > > >
> > > >
On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote:
> Hi Tycho,
>
> On 09/27/2018 05:11 PM, Tycho Andersen wrote:
> > Hi all,
> >
> > Here's v7 of the seccomp trap to userspace set. There are various minor
> > changes and bug fixes
On Mon, Nov 19, 2018 at 11:32:39AM +0100, Christian Brauner wrote:
>
> +/**
> + * sys_procfd_signal - send a signal to a process through a process file
> + * descriptor
> + * @fd: the file descriptor of the process
> + * @sig: signal to be sent
> + * @info: the signal info
On Mon, Nov 19, 2018 at 02:49:22PM -0800, Daniel Colascione wrote:
> On Mon, Nov 19, 2018 at 2:40 PM Tycho Andersen wrote:
> > Can I just register an objection here that I think using a syscall
> > just for this is silly?
>
> Yes, you can argue that the bikeshed should be
On Mon, Nov 19, 2018 at 04:22:49PM -0800, Andy Lutomirski wrote:
> Hi all-
>
> We currently have some giant turds in the way that syscalls are
> numbered. We have the x86_32 table, which is totally sane other than
> some legacy multiplexers. Then we have the x86_64 table, which is,
> um, demente
On Mon, Nov 12, 2018 at 12:24:43PM -0700, Tycho Andersen wrote:
> On Mon, Nov 12, 2018 at 11:55:38AM -0700, Tycho Andersen wrote:
> > I haven't manage to reproduce it on stock v4.20-rc2, unfortunately.
>
> Ok, now I have,
>
> seccomp_bpf.c:2736:global.syscall_resta
On Mon, Oct 29, 2018 at 04:40:30PM -0600, Tycho Andersen wrote:
> + resp.id = req.id;
> + resp.error = -512; /* -ERESTARTSYS */
> + resp.val = 0;
> +
> + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
So, it turns out this *doesn't* work,
On Thu, Nov 29, 2018 at 01:17:01PM -0800, Kees Cook wrote:
> On Tue, Nov 27, 2018 at 8:44 PM Eric W. Biederman
> wrote:
> >
> > Kees Cook writes:
> >
> > > On Tue, Nov 27, 2018 at 4:38 PM, Kees Cook wrote:
> > >> On Tue, Nov 27, 2018 at 3:21 PM,
Hi Oleg,
I've been running some tests on my seccomp series, and in one of the
tests on v4.20-rc2, I noticed,
[ RUN ] global.syscall_restart
seccomp_bpf.c:2784:global.syscall_restart:Expected getpid() (1492) ==
info._sifields._kill.si_pid (0)
global.syscall_restart: Test failed at step #22
On Mon, Nov 12, 2018 at 12:30:25PM -0600, Eric W. Biederman wrote:
> Tycho Andersen writes:
>
> > Hi Oleg,
> >
> > I've been running some tests on my seccomp series, and in one of the
> > tests on v4.20-rc2, I noticed,
> >
> > [ RUN
On Mon, Nov 12, 2018 at 11:55:38AM -0700, Tycho Andersen wrote:
> I haven't manage to reproduce it on stock v4.20-rc2, unfortunately.
Ok, now I have,
seccomp_bpf.c:2736:global.syscall_restart:Expected getpid() (1493) ==
info._sifields._kill.si_pid (0)
global.syscall_restart: Test failed
ht or not.
>
> For example, a terminal signal (or one that is ignored) might not need
> siginfo. But if the process is ptraced, maybe that terminal signal
> isn't actually terminal? So we might have situations where we want to
> simply check "is the signal target being ptraced&q
On Fri, Dec 07, 2018 at 12:24:20PM -0200, Guilherme G. Piccoli wrote:
> Hi, thanks Dmitry for the re-spin - hopefully now the pa-risc issues
> are fixed.
>
> BTW, any news on the pa-risc testing? We're just waiting on this to get
> the patchset merged?
As far as I know it has been, I got a mail f
On Thu, Dec 06, 2018 at 10:53:50AM -0800, Andy Lutomirski wrote:
> > On Dec 5, 2018, at 11:29 PM, Ard Biesheuvel
> > wrote:
> >
> >> On Thu, 6 Dec 2018 at 00:16, Andy Lutomirski wrote:
> >>
> >>> On Wed, Dec 5, 2018 at 3:41 AM Will Deacon wrote:
> >>>
> On Tue, Dec 04, 2018 at 12:09:49PM -
rs,
Tycho
Tycho Andersen (4):
seccomp: hoist struct seccomp_data recalculation higher
seccomp: switch system call argument type to void *
seccomp: add a return code to trap to userspace
samples: add an example of seccomp user trap
Documentation/ioctl/ioctl-number.txt | 1 +
.../use
force seccomp to recompute the register data. Previously this recomputation
happened one level lower, in seccomp_run_filters(); this patch just moves
it up a level higher to __seccomp_filter().
Thanks Oleg for spotting this.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nes
oided with
careful design of the userspace handler: if the userspace handler reads all
of the task memory that is necessary before applying its security policy,
the tracee's subsequent memory edits will not be read by the tracer.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutom
.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
v5: new in v5
v7: updates for v7 API changes
v8: * add some more comments about what's ha
ng to use void *
as well.
I believe this is safe because of 1. the documentation above, 2. there's no
real type information exported about syscalls anywhere besides the man
pages.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC
ss of this
patch.
Signed-off-by: Tycho Andersen
---
include/linux/uaccess.h | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..f20a2d173e1f 100644
--- a/include/linux/uaccess.h
+++ b/include/linux
Hi Al,
On Sun, Dec 09, 2018 at 09:02:21PM +, Al Viro wrote:
> On Sun, Dec 09, 2018 at 01:44:49PM -0700, Tycho Andersen wrote:
> > While working on some additional copy_to_user() checks for sparse, I
> > noticed that sparse's current copy_to_user() checks are not triggered.
On Sun, Dec 09, 2018 at 10:39:52PM +0100, Luc Van Oostenryck wrote:
> On Sun, Dec 09, 2018 at 02:25:23PM -0700, Tycho Andersen wrote:
> > Hi Al,
> >
> > On Sun, Dec 09, 2018 at 09:02:21PM +, Al Viro wrote:
> > > On Sun, Dec 09, 2018 at 01:44:49PM -0700, Tycho
On Sun, Dec 09, 2018 at 09:46:00PM +, Al Viro wrote:
> On Sun, Dec 09, 2018 at 02:25:23PM -0700, Tycho Andersen wrote:
>
> > > Which sparse checks do not trigger? Explain, please - as it is, I had
> > > been
> > > unable to guess what could "spe
force seccomp to recompute the register data. Previously this recomputation
happened one level lower, in seccomp_run_filters(); this patch just moves
it up a level higher to __seccomp_filter().
Thanks Oleg for spotting this.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nes
ng to use void *
as well.
I believe this is safe because of 1. the documentation above, 2. there's no
real type information exported about syscalls anywhere besides the man
pages.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC
ith a
signal will just get ENOENT, indicating that something happened to the
other end.
* refactor the tests so that each test tests only one thing :)
* several other minor bug fixes
Cheers,
Tycho
Link to v8:
https://lore.kernel.org/lkml/20181029224031.29809-1-ty...@tycho.ws/T/#u
Tycho Anders
.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
v5: new in v5
v7: updates for v7 API changes
v8: * add some more comments about what's ha
oided with
careful design of the userspace handler: if the userspace handler reads all
of the task memory that is necessary before applying its security policy,
the tracee's subsequent memory edits will not be read by the tracer.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutom
On Sun, Dec 02, 2018 at 11:26:50PM -0600, Serge E. Hallyn wrote:
> On Sun, Dec 02, 2018 at 08:28:26PM -0700, Tycho Andersen wrote:
> > +struct seccomp_knotif {
> > + /* The struct pid of the task whose filter triggered the notification */
> > + struct task_struct *task;
ree, please drop us a note to
> help improve the system]
>
> url:
> https://github.com/0day-ci/linux/commits/Tycho-Andersen/seccomp-hoist-struct-seccomp_data-recalculation-higher/20181204-013450
> config: i386-randconfig-x005-201848 (attached as .config)
> compiler: g
On Mon, Dec 03, 2018 at 07:17:26PM -0700, Tycho Andersen wrote:
> On Tue, Dec 04, 2018 at 10:07:38AM +0800, kbuild test robot wrote:
> > Hi Tycho,
> >
> > I love your patch! Yet something to improve:
> >
> > [auto build test ERROR on linus/master]
> > [
st line discipline changes.
>
> Cc: Greg Kroah-Hartman
> Cc: Jiri Slaby
> Cc: sta...@vger.kernel.org # b027e2298bd5 ("tty: fix data race between
> tty_init_dev and flush of buf")
> Reviewed-by: Jiri Slaby
> Reported-by: syzbot+3aa9784721dfb90e9...@syzkaller.a
On Fri, Jun 29, 2018 at 04:24:46AM -0600, Tycho Andersen wrote:
> v2: switch to locking uport->lock on allocation/deallocation instead of
> locking the per-port mutex in uart_put_char. Note that since
> uport->lock is a spin lock, we have to switch the allocation to
&
On Sat, Jun 23, 2018 at 12:27:43AM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote:
> >
> > On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski
> > wrote:
> > > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is
> > > not what we want here.
>
> Uuug
ex in uart_put_char. Note that since
uport->lock is a spin lock, we have to switch the allocation to
GFP_ATOMIC.
Signed-off-by: Tycho Andersen
---
drivers/tty/serial/serial_core.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/seri
Hi Oleg,
On Thu, May 17, 2018 at 05:46:37PM +0200, Oleg Nesterov wrote:
> On 05/17, Tycho Andersen wrote:
> >
> > > From lockdep pov this loop tries to take the same lock twice or more, it
> > > shoul
> > > complain.
> >
> > I didn't, but I
luded it in the patchset.
v2: https://lkml.org/lkml/2018/5/17/627
Tycho Andersen (4):
seccomp: add a return code to trap to userspace
seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE
seccomp: add a way to get a listener fd from ptrace
seccomp: add support for passing fds
icates the code less, so hopefully it's ok.
v2: new in v2
v3: no changes
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
kernel/sec
netlink
* It shows just how little code is needed to accomplish this :)
v2: new in v2
v3: no changes
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
TIFICATION case
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
arch/Kconfig | 7 +
include/linux/secc
unting bug (Oleg)
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
include/linux/seccomp.h | 11
include
Hi Jann,
Thanks for taking a look!
On Sat, Jun 02, 2018 at 03:13:39PM +0200, Jann Horn wrote:
> On Sat, Jun 2, 2018 at 2:58 PM Tycho Andersen wrote:
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can b
Hi Alban,
On Sat, Jun 02, 2018 at 09:14:09PM +0200, Alban Crequy wrote:
> On Thu, 31 May 2018 at 16:52, Tycho Andersen wrote:
> >
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can be
Hi Jann,
On Sun, Jun 03, 2018 at 08:41:01PM +0200, Jann Horn wrote:
> On Sun, Jun 3, 2018 at 2:29 PM Tycho Andersen wrote:
> >
> > This patch introduces a means for syscalls matched in seccomp to notify
> > some other task that a particular filter has been triggered.
>
ex in uart_put_char. Note that since
uport->lock is a spin lock, we have to switch the allocation to
GFP_ATOMIC.
v3: move the allocation outside the lock, so we can switch back to
GFP_KERNEL
Signed-off-by: Tycho Andersen
---
drivers/tty/serial/serial_core.c | 18 --
On Fri, Jul 06, 2018 at 07:49:09PM +0300, Andy Shevchenko wrote:
> On Fri, Jul 6, 2018 at 7:24 PM, Tycho Andersen wrote:
>
> > Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf)
> > protected by the "per-port mutex", which based
On Fri, Jul 06, 2018 at 11:48:58PM +0300, Andy Shevchenko wrote:
> On Fri, Jul 6, 2018 at 9:39 PM, Tycho Andersen wrote:
> > On Fri, Jul 06, 2018 at 07:49:09PM +0300, Andy Shevchenko wrote:
> >> On Fri, Jul 6, 2018 at 7:24 PM, Tycho Andersen wrote:
>
> > but witho
Hi Matthew,
On Tue, Jun 12, 2018 at 02:39:03PM -0700, Matthew Helsley wrote:
> On Thu, May 31, 2018 at 7:49 AM, Tycho Andersen wrote:
>
>
>
>
> > +struct seccomp_notif {
> > + __u64 id;
> > + pid_t pid;
> > + struct seccomp_data data;
On Thu, Jun 14, 2018 at 12:44:21PM -0700, Matthew Helsley wrote:
> On Tue, Jun 12, 2018 at 4:16 PM, Tycho Andersen wrote:
>
> > Hi Matthew,
> >
> > On Tue, Jun 12, 2018 at 02:39:03PM -0700, Matthew Helsley wrote:
> > > On Thu, May 31, 2018
e for no real benefit.
I've also added support for passing fds. The code itself is simple, but
the API could/should probably be different, see patch 4 for discussion.
Tycho
Tycho Andersen (4):
seccomp: add a return code to trap to userspace
seccomp: make get_nth_filter available
can attach to the tree
* notify the listener of signals the tracee receives as well
* implement poll
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC
netlink
* It shows just how little code is needed to accomplish this :)
v2: new in v2
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
icates the code less, so hopefully it's ok.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
v2: new in v2
---
kernel/seccomp.c | 6
lters block sendmsg() and socket(); if the
task installs a filter which blocks these calls, there's no way with
SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task.
v2: fix a bug where listener mode was not unset when an unused fd was not
available
Signed-off
Hi Oleg,
Thanks for taking a look!
On Thu, May 17, 2018 at 05:33:24PM +0200, Oleg Nesterov wrote:
> I didn't read this series yet, and I don't even understand what are you
> trying to do, just one question...
>
> On 05/17, Tycho Andersen wrote:
> >
> > +static
On Thu, May 17, 2018 at 05:41:39PM +0200, Oleg Nesterov wrote:
> again, I don't understand this code yet, but
>
> On 05/17, Tycho Andersen wrote:
> >
> > +long seccomp_get_listener(struct task_struct *task,
> > + unsigned long filter_off)
>
On Thu, May 17, 2018 at 09:57:33AM -0600, Tycho Andersen wrote:
> On Thu, May 17, 2018 at 05:41:39PM +0200, Oleg Nesterov wrote:
> > and since init_listener() does __get_seccomp_filter() on sucess, it is
> > needed
> > uncondtitionally?
>
> I think there does need t
On Fri, May 18, 2018 at 04:05:56PM +0200, Christian Brauner wrote:
> On Thu, May 17, 2018 at 09:12:17AM -0600, Tycho Andersen wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at le
On Fri, May 18, 2018 at 04:04:16PM +0200, Christian Brauner wrote:
> On Thu, May 17, 2018 at 09:12:15AM -0600, Tycho Andersen wrote:
> > +#ifdef CONFIG_SECCOMP_USER_NOTIFICATION
> > +static u64 seccomp_next_notify_id(struct seccomp_filter *filter)
> > +{
> > +
On Mon, Aug 20, 2018 at 03:27:52PM -0700, Linus Torvalds wrote:
> On Mon, Aug 20, 2018 at 3:02 PM Woodhouse, David wrote:
> >
> > It's the *kernel* we don't want being able to access those pages,
> > because of the multitude of unfixable cache load gadgets.
>
> Ahh.
>
> I guess the proof is in t
Instead of assigning this to ret, since we don't use this anywhere, let's
just test it against 0 directly.
Signed-off-by: Tycho Andersen
Reported-by: 0day robot
---
kernel/seccomp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/secco
urity tree,
although hopefully some s390 people can check and make sure it looks
reasonable?
The only oddity is the trailing semicolon; some lines around this patch
have it, and some lines don't. I've left this one as-is.
[1]: https://lore.kernel.org/lkml/20181212231630.GA31584@beast/T/#u
Hi Oleg,
On Mon, Dec 10, 2018 at 04:37:18PM +0100, Oleg Nesterov wrote:
> On 12/06, Eric W. Biederman wrote:
> >
> > The challenge is that we could be delivering this to a zombie signal
> > group leader.
>
> ...
>
> > Sigh it is probably time that I dig in and figure out how to avoid that
> > ca
gt; > > --------
> > > James Morris (2):
> > > Merge tag 'seccomp-next' of https://git.kernel.org/.../kees/linux
> > > into next-seccomp
> > > Merge tag 'seccomp-next-part2&#
Both the .o and the actual executable need to be built with -m32 in order
to link correctly.
Signed-off-by: Tycho Andersen
Reported-by: Ingo Molnar
Fixes: fec7b6690541 ("samples: add an example of seccomp user trap")
---
I guess x86 can pick this up directly? Not sure where it should
On Mon, Oct 08, 2018 at 04:58:05PM +0200, Christian Brauner wrote:
> On Thu, Sep 27, 2018 at 04:48:39PM -0600, Tycho Andersen wrote:
> > On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote:
> > > I have to say, I'm vaguely nervous about changing the semantics here
>
On Tue, Oct 09, 2018 at 12:37:52PM +0200, Laurent Vivier wrote:
> @@ -80,18 +74,32 @@ static int entry_count;
> */
> #define MAX_REGISTER_LENGTH 1920
>
> +static struct binfmt_namespace *binfmt_ns(struct user_namespace *ns)
> +{
> + struct binfmt_namespace *b_ns;
> +
> + while (ns) {
>
On Tue, Oct 09, 2018 at 06:24:14PM +0200, Christian Brauner wrote:
> On Tue, Oct 09, 2018 at 07:28:33AM -0700, Tycho Andersen wrote:
> > On Mon, Oct 08, 2018 at 04:58:05PM +0200, Christian Brauner wrote:
> > > On Thu, Sep 27, 2018 at 04:48:39PM -0600, Tycho Andersen wrote:
>
oided with
careful design of the userspace handler: if the userspace handler reads all
of the task memory that is necessary before applying its security policy,
the tracee's subsequent memory edits will not be read by the tracer.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutom
ssing bits.
* applied all the feedback from v7 (I think, there was a lot of it :)
Link to v7: https://lkml.org/lkml/2018/9/27/968
Cheers,
Tycho
Tycho Andersen (2):
seccomp: add a return code to trap to userspace
samples: add an example of seccomp user trap
Documentation/ioctl/ioctl-
.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
v5: new in v5
v7: updates for v7 API changes
v8: * add some more comments about what's ha
On Mon, Oct 29, 2018 at 11:31:00PM +, Serge E. Hallyn wrote:
> On Mon, Oct 29, 2018 at 04:40:31PM -0600, Tycho Andersen wrote:
> > + if (req->data.nr != __NR_mount) {
> > + fprintf(stderr, "huh? trapped something besides mknod? %d\n",
> > req->
Hi Oleg,
On Tue, Oct 30, 2018 at 03:32:36PM +0100, Oleg Nesterov wrote:
> On 10/29, Tycho Andersen wrote:
> >
> > + /* This is where we wait for a reply from userspace. */
> > + err = wait_for_completion_interruptible(&n.ready);
> > +
On Tue, Oct 30, 2018 at 04:02:54PM +0100, Oleg Nesterov wrote:
> On 10/29, Tycho Andersen wrote:
> >
> > +static long seccomp_notify_recv(struct seccomp_filter *filter,
> > + void __user *buf)
> > +{
> > + struct seccomp_knotif *kn
On Tue, Oct 30, 2018 at 05:39:26PM +0100, Oleg Nesterov wrote:
> On 10/30, Oleg Nesterov wrote:
> >
> > On 10/30, Tycho Andersen wrote:
> > >
> > > @@ -828,6 +823,11 @@ static int __seccomp_filter(int this_syscall, const
> > > struct seccomp_data *sd,
&
101 - 200 of 573 matches
Mail list logo
