This command allows comparing the underling private data of two fds. This
is useful e.g. to find out if a seccomp filter is inherited, since struct
seccomp_filter are unique across tasks and are the private_data seccomp
fds.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Will Drewry
CC: Oleg
e not allowed by
bpf_check_classic.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Will Drewry
CC: Oleg Nesterov
CC: Andy Lutomirski
CC: Pavel Emelyanov
CC: Serge E. Hallyn
CC: Alexei Starovoitov
CC: Daniel Borkmann
---
net/core/filter.c | 3 +--
1 file changed, 1 insertion(+), 2 dele
On Wed, Sep 30, 2015 at 11:27:34AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen
> wrote:
> > This patch introduces the concept of a seccomp fd, with a similar interface
> > and usage to ebpf fds. Initially, one is allowed to create, install,
On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen
> wrote:
> > This command allows comparing the underling private data of two fds. This
> > is useful e.g. to find out if a seccomp filter is inher
On Wed, Sep 30, 2015 at 11:47:05AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:41 AM, Tycho Andersen
> wrote:
> > On Wed, Sep 30, 2015 at 11:25:41AM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen
> >> wrote:
> &
On Wed, Sep 30, 2015 at 11:56:25AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:55 AM, Tycho Andersen
> wrote:
> > On Wed, Sep 30, 2015 at 11:47:05AM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 30, 2015 at 11:41 AM, Tycho Andersen
> >> wrote:
> &
On Wed, Sep 30, 2015 at 02:48:47PM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 2:39 PM, Tycho Andersen
> wrote:
> > On Wed, Sep 30, 2015 at 11:56:25AM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 30, 2015 at 11:55 AM, Tycho Andersen
> >> wrote:
> &
On Fri, Sep 06, 2019 at 07:20:51PM +0200, Christian Brauner wrote:
> On Sat, Sep 07, 2019 at 03:07:39AM +1000, Aleksa Sarai wrote:
> > On 2019-09-06, Mickaël Salaün wrote:
> > >
> > > On 06/09/2019 17:56, Florian Weimer wrote:
> > > > Let's assume I want to add support for this to the glibc dynam
On Fri, Sep 06, 2019 at 08:27:31PM +0200, Florian Weimer wrote:
> * Tycho Andersen:
>
> > On Fri, Sep 06, 2019 at 07:20:51PM +0200, Christian Brauner wrote:
> >> On Sat, Sep 07, 2019 at 03:07:39AM +1000, Aleksa Sarai wrote:
> >> > On 2019-09-06, Mickaël Salaün w
On Fri, Aug 30, 2019 at 09:19:00AM -0600, shuah wrote:
> On 8/29/19 6:45 PM, shuah wrote:
> > On 8/29/19 11:06 AM, Kees Cook wrote:
> > > On Mon, Aug 26, 2019 at 08:43:02AM -0600, Tycho Andersen wrote:
> > > > The seccomp selftest goes to some length to build agains
~~
seccomp_bpf.c:1787:2: note: in expansion of macro ‘EXPECT_EQ’
EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
^
make: *** [Makefile:12: seccomp_bpf] Error 1
Signed-off-by: Tycho Andersen
Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request")
---
t
we can get some more clarity about what might be going wrong here? It
> appears that the failing test was added in commit 6a21cc50f0c7f ("seccomp:
> add a return code to trap to userspace") by Tycho Andersen
> .
Can you post an strace and a cat of /proc/$pid/stack for both
ernel security mechanisms in cases where the watcher knows
> > that a given action is safe to perform.
> >
> > /* References */
> > [1]: https://linuxplumbersconf.org/event/4/contributions/560
> > [2]: https://linuxplumbersconf.org/event/4/contributions/477
> > [3]: https
21cc50f0c7 ("seccomp: add a return code to trap to userspace")
> Signed-off-by: Christian Brauner
> Reviewed-by: Tyler Hicks
> Cc: Kees Cook
> Cc: Andy Lutomirski
> Cc: Will Drewry
> Cc: Shuah Khan
> Cc: Alexei Starovoitov
> Cc: Daniel Borkmann
> Cc: Ma
[seccomp_bpf] Error 1
> make: Leaving directory
> '/usr/src/perf_selftests-x86_64-rhel-7.6-0eebfed2954f152259cae0ad57b91d3ea92968e8/tools/testing/selftests/seccomp'
>
> Reported-by: kernel test robot
> Fixes: 0eebfed2954f ("seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE")
> Cc: linux-kselft...@vger.kernel.org
> Signed-off-by: Christian Brauner
Reviewed-by: Tycho Andersen
ually flush in the face of xpfo, and temporarily map the underlying
> memory so it can be flushed correctly
>
> CC: linux-arm-ker...@lists.infradead.org
> Signed-off-by: Juerg Haefliger
> Signed-off-by: Tycho Andersen
> ---
> arch/arm64/mm/flush.c | 7 +++
> 1 fi
On Thu, Feb 14, 2019 at 10:29:52AM -0700, Khalid Aziz wrote:
> On a side note, do you mind if I update your address in your
> signed-off-by from ty...@docker.com when I send the next version of this
> series?
Sure that would be great thanks. This e-mail is a good one to use.
Cheers,
Tycho
On Wed, Jan 02, 2019 at 05:16:53PM +0100, Christian Brauner wrote:
> The kill() syscall operates on process identifiers (pid). After a process
> ...
Fashionably late to the party, but feel free to consider these two:
Reviewed-by: Tycho Andersen
On Fri, Feb 15, 2019 at 04:07:33PM +, David Howells wrote:
> ==
> FUTURE DEVELOPMENT
> ==
>
> (1) Setting up the container.
>
> A container would be created with, say:
>
> int cfd = container_create("fred", CONTAINER_NEW_EMPTY_FS_NS);
>
...
>
On Fri, Feb 08, 2019 at 09:50:26AM +1100, Tobin C. Harding wrote:
> Currently if user passes an output file to the script via
> --output-raw we do not handle expansion of tilde.
>
> Use perl function glob() to expand tilde in output file name.
>
> Signed-off-by: Tobin C. Harding
> ---
> scripts
While reading the docs I noticed some whitespace damage in diagram. Let's
fix it up to be consistent with elsewhere in the document: use one leading
tab, followed by spaces for any additional whitespace required.
Signed-off-by: Tycho Andersen
---
Documentation/RCU/whatisRCU.txt
/2018 06:24:32.4950] [] handle_IPI+0x18c/0x1a0
> [11/27/2018 06:24:32.4950] [] gic_handle_irq+0x88/0x90
>
> Fixes: a5ba1d95e46e ("uart: fix race between uart_put_char() and
> uart_shutdown()")
> Signed-off-by: Samir Virmani
> Cc: Tycho Andersen
Acked-by: Tycho Andersen
Thanks,
Tycho
On Wed, Jan 16, 2019 at 04:30:26PM -0800, Kees Cook wrote:
> On Wed, Jan 16, 2019 at 4:01 PM shuah wrote:
> >
> > Hi Kees and James,
> >
> > seccomp_bpf test hangs right after the following test passes
> > with EBUSY. Please see log at the end.
> >
> > /* Installing a second listener in the chain
where needed.
>
> Reported-by: Shuah Khan
> Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
The gift that keeps on giving :)
Reviewed-by: Tycho Andersen
Thanks,
Tycho
On Thu, Jan 17, 2019 at 08:12:50AM -0800, Kees Cook wrote:
> On Wed, Jan 16, 2019 at 5:26 PM shuah wrote:
> > I am running Linux 5.0-rc2 and not an older kernel.
>
> Weird. I couldn't reproduce this on 5.0-rc2, but I did see it on a
> kernel without seccomp user_notif. Does the patch I sent fix i
On Thu, Jan 17, 2019 at 08:41:59AM -0800, Kees Cook wrote:
> On Thu, Jan 17, 2019 at 8:27 AM Tycho Andersen wrote:
> >
> > On Thu, Jan 17, 2019 at 08:12:50AM -0800, Kees Cook wrote:
> > > On Wed, Jan 16, 2019 at 5:26 PM shuah wrote:
> > > > I am running L
de to trap to userspace")
Signed-off-by: Tycho Andersen
---
This is a little ugly, but I can't really think of a better way (other than
force freeing, but the fput function that does the actual work is declared
static with four underscores :).
---
kernel/seccomp.c | 4
1 file chang
seccomp() doesn't allow users who aren't root in their userns to attach
filters unless they have the nnp bit set, so let's set it so that these
tests can pass when run as an unprivileged user.
This idea stolen from the other seccomp tests, which use this trick :)
Signed-off-by:
fixes should make most of the other tests work unprivileged,
while XFAIL-ing the one that requires real root.
Cheers,
Tycho
Tycho Andersen (6):
selftests: don't kill child immediately in get_metadata() test
selftests: fix typo in seccomp_bpf.c
selftest: include stdio.h in kselftest.h
-declaration]
printf("TAP version 13\n");
^~
../kselftest.h:61:3: warning: incompatible implicit declaration of built-in
function ‘printf’
../kselftest.h:61:3: note: include ‘’ or provide a declaration of
‘printf’
if user code doesn't also use printf.
Signed-off-by: Tycho Ander
kip tests defined as TEST(),
since there's no return code (I tried exit(KSFT_SKIP), but that didn't work
either...). So let's do it this way to be consistent, and easier to fix
when someone comes along and fixes it.
Signed-off-by: Tycho Andersen
---
tools/testing/selftests/secco
userns.
Signed-off-by: Tycho Andersen
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c
b/tools/testing/selftests/seccomp/seccomp_bpf.c
index a4a7dce1a91b..8f6e95773225 100644
---
There used to be an explanation here because it could trigger lockdep
previously, but now we're not doing recursive locking, so it really is just
for grins.
Signed-off-by: Tycho Andersen
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 del
write.
Any failure after that is fine and can ASSERT.
Signed-off-by: Tycho Andersen
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c
b/tools/testing/selftests/seccomp/seccomp_
n
It seems to actually work fine for me though, since the new helper is also
__noreturn. Perhaps there's a better way to do this?
Signed-off-by: Tycho Andersen
CC: Josh Poimboeuf
---
I split this out from the XPFO series since it's mostly unrelated, and is
just a bug I found while wo
On Fri, Apr 05, 2019 at 10:58:33AM -0500, Josh Poimboeuf wrote:
> On Fri, Apr 05, 2019 at 09:35:24AM -0600, Tycho Andersen wrote:
> > If the kernel oopses in an interrupt, nothing re-enables interrupts:
> >
> > Aug 23 19:30:27 xpfo kernel: [ 38.302714] BUG: sleeping func
were disabled.
Note that if any spinlocks are held, etc. we'll also get the above warning,
so this isn't a silver bullet. So, let's add a C helper in case someone
wants to add fancier lock busting or if we've forgotten to unwind something
else.
Signed-off-by: Tycho Andersen
CC: Jo
On Wed, Jan 02, 2019 at 05:16:54PM +0100, Christian Brauner wrote:
> + /*
> + * Stop the child so we can inspect whether we have
> + * recycled pid PID_RECYCLE.
> + */
> + close(pipe_fds[0]);
> +
On Tue, Jan 08, 2019 at 11:54:15AM -0600, Serge E. Hallyn wrote:
> On Tue, Jan 08, 2019 at 10:53:06AM -0700, Tycho Andersen wrote:
> > On Wed, Jan 02, 2019 at 05:16:54PM +0100, Christian Brauner wrote:
> > > + /*
> > > + * Stop the chil
On Tue, Jan 08, 2019 at 12:17:42PM -0600, Serge E. Hallyn wrote:
> On Tue, Jan 08, 2019 at 10:58:43AM -0700, Tycho Andersen wrote:
> > On Tue, Jan 08, 2019 at 11:54:15AM -0600, Serge E. Hallyn wrote:
> > > On Tue, Jan 08, 2019 at 10:53:06AM -0700, Tycho Andersen wrote:
> >
On Tue, Jan 08, 2019 at 07:24:46PM +0100, Christian Brauner wrote:
> On Tue, Jan 08, 2019 at 11:20:23AM -0700, Tycho Andersen wrote:
> > On Tue, Jan 08, 2019 at 12:17:42PM -0600, Serge E. Hallyn wrote:
> > > On Tue, Jan 08, 2019 at 10:58:43AM -0700, Tycho Andersen wrote:
>
On Wed, Jan 09, 2019 at 07:59:16AM +0100, Ingo Molnar wrote:
>
> * Kees Cook wrote:
>
> > This was already picked up by x86-urgent...
> >
> > -Kees
>
> I'm fine with both routes - if Linus pulls this I'll zap the x86/urgent
> one.
The patches are different actually. I've confirmed the one in
On Fri, Mar 08, 2019 at 03:14:13PM +1100, Tobin C. Harding wrote:
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index f9d89c1b5977..754acdb292e4 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -298,6 +298,10 @@ int slab_unmergeable(struct kmem_cache *s)
> if (!is_root_cac
On Fri, Mar 08, 2019 at 03:14:18PM +1100, Tobin C. Harding wrote:
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -3642,6 +3642,7 @@ static int kmem_cache_open(struct kmem_cache *s,
> slab_flags_t flags)
>
> set_cpu_partial(s);
>
> + s->defrag_used_ratio = 30;
> #ifdef CONFIG_NUMA
>
On Fri, Mar 08, 2019 at 04:15:46PM +, Christopher Lameter wrote:
> On Fri, 8 Mar 2019, Tycho Andersen wrote:
>
> > On Fri, Mar 08, 2019 at 03:14:13PM +1100, Tobin C. Harding wrote:
> > > diff --git a/mm/slab_common.c b/mm/slab_common.c
> > > index f9d89c1b5977..7
On Sat, Mar 09, 2019 at 06:53:22AM +1100, Tobin C. Harding wrote:
> On Fri, Mar 08, 2019 at 09:22:37AM -0700, Tycho Andersen wrote:
> > On Fri, Mar 08, 2019 at 04:15:46PM +, Christopher Lameter wrote:
> > > On Fri, 8 Mar 2019, Tycho Andersen wrote:
> > >
> >
dition to be simply if (ret), so that
if someone does add the flag mentioned above, they won't have to remember
to fix this too.
Signed-off-by: Tycho Andersen
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
CC: sta...@vger.kernel.org # v5.0+
---
kernel/seccom
This sentence is kind of a train wreck anyway, but at least dropping the
extra pronoun helps somewhat.
Signed-off-by: Tycho Andersen
---
kernel/seccomp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index e815781ed751..d0d355ded2f4
On Wed, Mar 06, 2019 at 09:39:35PM +0100, Christian Brauner wrote:
> > +
> > /* Prepare the new filter before holding any locks. */
> > prepared = seccomp_prepare_user_filter(filter);
> > if (IS_ERR(prepared))
> > @@ -1302,7 +1315,7 @@ static long seccomp_set_mode_filter(unsigned int
>
On Wed, Mar 06, 2019 at 10:02:25PM +0100, Christian Brauner wrote:
> On Wed, Mar 6, 2019 at 9:46 PM Tycho Andersen wrote:
> >
> > On Wed, Mar 06, 2019 at 09:39:35PM +0100, Christian Brauner wrote:
> > > > +
> > > > /* Prepare the new filter before hol
flush in the face of xpfo, and temporarily map the underlying
> memory so it can be flushed correctly
>
> CC: linux-arm-ker...@lists.infradead.org
> Signed-off-by: Juerg Haefliger
> Signed-off-by: Tycho Andersen
> Signed-off-by: Khalid Aziz
> ---
> arch/arm64/mm/f
On Fri, Jan 11, 2019 at 11:28:19AM -0700, Khalid Aziz wrote:
> On 1/11/19 7:54 AM, Tycho Andersen wrote:
> > On Thu, Jan 10, 2019 at 02:09:39PM -0700, Khalid Aziz wrote:
> >> From: Juerg Haefliger
> >>
> >> If the page is unmapped by XPFO, a data cache flush re
On Wed, Sep 12, 2018 at 05:00:54PM -0700, Andy Lutomirski wrote:
> On Thu, Sep 6, 2018 at 8:28 AM, Tycho Andersen wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least two reas
On Wed, Sep 12, 2018 at 04:52:38PM -0700, Andy Lutomirski wrote:
> On Thu, Sep 6, 2018 at 8:28 AM, Tycho Andersen wrote:
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can be returned from socket(
On Thu, Sep 20, 2018 at 07:18:45PM -0700, Andy Lutomirski wrote:
> Hmm. This does mean that we need a test case for a user notifier
> returning -ERESTARTSYS. It should Just Work (tm), but those are
> famous last words.
Just to confirm, I've got a test case that works like this:
1. fork and inst
Hi all,
Here's a v6 of the seccomp trap to userspace series. v5 [1] was fairly
quiet, with Christian reminding me that I had forgotten to update the
docs for the ioctl change. Other than that, there are no changes.
[1]: https://lkml.org/lkml/2018/8/28/590
Thoughts welcome,
Tycho
ng ioctls instead of read()/write() for struct passing
(Jann)
* add an ioctl to ensure an id is still valid
v6: * docs typo fixes, update docs for ioctl() change (Christian)
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC:
unting bug (Oleg)
v4: * change the listener's fd flags to be 0
* rename GET_LISTENER to NEW_LISTENER (Matthew)
v5: * add capable(CAP_SYS_ADMIN) requirement
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Ha
* reflect GET_LISTENER -> NEW_LISTENER changes
* add to the new Documentation/ on user notifications about fd replies
v5: * fix documentation typo (O_EXCL -> O_CLOEXEC)
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E
rning when
only CONFIG_SECCOMP_FILTER is enabled.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
kernel/seccomp.c | 7 +--
1 file change
.
v5: new in v5
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
samples/seccomp/.gitignore | 1 +
samples/seccomp/Makefile| 7 +-
sampl
On Thu, Sep 06, 2018 at 05:45:25PM +0200, Jann Horn wrote:
> On Thu, Sep 6, 2018 at 5:29 PM Tycho Andersen wrote:
> >
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least tw
On Thu, Sep 06, 2018 at 06:15:18PM +0200, Jann Horn wrote:
> On Thu, Sep 6, 2018 at 5:29 PM Tycho Andersen wrote:
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can be returned from socket().
> [...
On Thu, Sep 06, 2018 at 10:22:46AM -0600, Tycho Andersen wrote:
> On Thu, Sep 06, 2018 at 06:15:18PM +0200, Jann Horn wrote:
> > On Thu, Sep 6, 2018 at 5:29 PM Tycho Andersen wrote:
> > > The idea here is that the userspace handler should be able to pass an fd
> > > ba
On Wed, Sep 12, 2018 at 04:52:38PM -0700, Andy Lutomirski wrote:
> On Thu, Sep 6, 2018 at 8:28 AM, Tycho Andersen wrote:
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can be returned from socket(
On Wed, Sep 19, 2018 at 07:19:56AM -0700, Andy Lutomirski wrote:
>
>
> > On Sep 19, 2018, at 2:55 AM, Tycho Andersen wrote:
> >
> >> On Wed, Sep 12, 2018 at 04:52:38PM -0700, Andy Lutomirski wrote:
> >>> On Thu, Sep 6, 2018 at 8:28 AM, Tycho Andersen
On Wed, Sep 19, 2018 at 12:58:20PM -0700, Andy Lutomirski wrote:
> On Wed, Sep 19, 2018 at 7:38 AM, Tycho Andersen wrote:
> > On Wed, Sep 19, 2018 at 07:19:56AM -0700, Andy Lutomirski wrote:
> >>
> >>
> >> > On Sep 19, 2018, at 2:55 AM, Tycho Andersen wro
On Thu, Sep 20, 2018 at 07:18:45PM -0700, Andy Lutomirski wrote:
> On Thu, Sep 20, 2018 at 4:42 PM Tycho Andersen wrote:
> >
> > On Wed, Sep 19, 2018 at 12:58:20PM -0700, Andy Lutomirski wrote:
> > > On Wed, Sep 19, 2018 at 7:38 AM, Tycho Andersen wrote:
> > >
On Fri, Sep 21, 2018 at 11:27:59AM -0700, Andy Lutomirski wrote:
> On Fri, Sep 21, 2018 at 6:39 AM Tycho Andersen wrote:
> >
> > On Thu, Sep 20, 2018 at 07:18:45PM -0700, Andy Lutomirski wrote:
> > >
> > > I think we just want the operation to cover all the cases
Hey Tyler,
On Thu, Sep 06, 2018 at 10:15:12PM +, Tyler Hicks wrote:
> > +Users can read via ``ioctl(SECCOMP_NOTIF_RECV)`` (or ``poll()``) on a
> > seccomp
> > +notification fd to receive a ``struct seccomp_notif``, which contains five
> > +members: the input length of the structure, a global
On Thu, Sep 06, 2018 at 10:15:12PM +, Tyler Hicks wrote:
> On 2018-09-06 09:28:55, Tycho Andersen wrote:
> > /**
> > * struct seccomp_filter - container for seccomp BPF programs
> > *
> > @@ -66,6 +114,30 @@ struct seccomp_filter {
> > bool log;
&g
On Mon, Sep 10, 2018 at 07:00:43PM +0200, Jann Horn wrote:
> On Thu, Sep 6, 2018 at 8:30 PM Tycho Andersen wrote:
> > On Thu, Sep 06, 2018 at 10:22:46AM -0600, Tycho Andersen wrote:
> > > On Thu, Sep 06, 2018 at 06:15:18PM +0200, Jann Horn wrote:
> > > > On Thu
On Thu, Aug 30, 2018 at 06:00:51PM +0200, Julian Stecklina wrote:
> Hey everyone,
>
> On Mon, 20 Aug 2018 15:27 Linus Torvalds
> wrote:
> > On Mon, Aug 20, 2018 at 3:02 PM Woodhouse, David wrote:
> >>
> >> It's the *kernel* we don't want being able to access those pages,
> >> because of the mul
Hi Kees,
On Fri, Jun 08, 2018 at 09:29:42AM -0700, Kees Cook wrote:
> On Thu, May 31, 2018 at 7:49 AM, Tycho Andersen wrote:
> > Hi all,
> >
> > Here's a v3 of the seccomp trap to userspace, with all the nits from v2
> > fixed. Open questions from v2 are still
On Sat, May 19, 2018 at 01:01:15PM +0800, kbuild test robot wrote:
> Hi Tycho,
>
> I love your patch! Yet something to improve:
Whoops, seems I forgot to compile the
!CONFIG_SECCOMP_USER_NOTIFICATION case. Anyways, I've fixed this for
v3.
Tycho
Hi Mickaël,
On Mon, Apr 02, 2018 at 12:04:36AM +0200, Mickaël Salaün wrote:
> >> vDSO is a code mapped for all processes. As you said, these processes
> >> may use it or not. What I was thinking about is to use the same concept,
> >> i.e. map a "shim" code into each processes pertaining to a parti
anity check in init(), Eric Biggers
Signed-off-by: Tycho Andersen
CC: David Howells
CC: James Morris
CC: "Serge E. Hallyn"
CC: Jason A. Donenfeld
CC: Eric Biggers
---
security/keys/big_key.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/security/k
size instead of
dynamically allocating something the right size
Signed-off-by: Tycho Andersen
CC: David Howells
CC: James Morris
CC: "Serge E. Hallyn"
CC: Eric Biggers
---
security/keys/dh.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/keys/dh.c b
27;s big enough initially, but only copy back to
userspace the amount that was originally asked for.
v2: allocate enough in the original output buffer vs creating a temporary
output buffer
Signed-off-by: Tycho Andersen
CC: David Howells
CC: James Morris
CC: "Serge E. Hally
On Mon, Apr 23, 2018 at 07:03:21PM -0600, Tycho Andersen wrote:
> We're interested in getting rid of all of the stack allocated arrays in
> the kernel: https://lkml.org/lkml/2018/3/7/621
>
> This case is interesting, since we really just need an array of bytes that
> are ze
Hi Eric,
On Mon, Apr 23, 2018 at 09:50:15PM -0700, Eric Biggers wrote:
> Hi Tycho,
>
> On Mon, Apr 23, 2018 at 07:03:19PM -0600, Tycho Andersen wrote:
> > We're interested in getting rid of all of the stack allocated arrays in the
> > kernel [1]. This patch simply
On Tue, Apr 24, 2018 at 11:46:38PM +0900, Tetsuo Handa wrote:
> Tycho Andersen wrote:
> > > > + if (unlikely(crypto_aead_ivsize(big_key_aead) !=
> > > > GCM_AES_IV_SIZE)) {
> > > > + WARN(1, "big key algorithm changed?");
>
Hi,
Any thoughts on this series?
Thanks,
Tycho
On Thu, Mar 15, 2018 at 09:59:16AM -0700, Kees Cook wrote:
> Since seccomp_get_metadata() depends on CHECKPOINT_RESTORE, XFAIL the
> test if the ptrace reports it as missing.
>
> Signed-off-by: Kees Cook
Acked-by: Tycho Andersen
Thanks, Kees.
> ---
> tools
Hi Andy,
On Thu, Mar 15, 2018 at 05:11:32PM +, Andy Lutomirski wrote:
> On Thu, Mar 15, 2018 at 5:05 PM, Serge E. Hallyn wrote:
> > Hm, synchronously - that brings to mind a thought... I should re-look at
> > Tycho's patches first, but, if I'm in a container, start some syscall that
> > gets
It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory.
v2: add !MMU depend as well
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: "Serge E. Hallyn"
CC: James Morris
---
security/Kconfig | 2 ++
1
logic again
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: "Serge E. Hallyn"
CC: James Morris
---
security/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..4619cee 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@
Hi Serge,
On Mon, Mar 21, 2016 at 06:41:33PM -0500, Serge E. Hallyn wrote:
> One practical problem I've found with cgroup namespaces is that there
> is no way to disambiguate between a cgroupfs mount which was done in
> a cgroup namespace, and a bind mount of a cgroupfs directory. So
> whether I
Hi all,
I'm seeing some strange behavior when bind mounting files from a btrfs
subvolume. Consider the output below:
root@criu2:/tmp# mount -o loop /tmp/tester.btrfs /tmp/dir1
root@criu2:/tmp# touch dir1/file
root@criu2:/tmp# sudo mount --bind dir1/file dir2/file
root@criu2:/tmp# grep "/tmp/dir"
On Mon, Mar 21, 2016 at 11:22:06AM -0600, Chris Murphy wrote:
> On Mon, Mar 21, 2016 at 9:21 AM, Tycho Andersen
> wrote:
> > Hi all,
> >
> > I'm seeing some strange behavior when bind mounting files from a btrfs
> > subvolume. Consider the output below:
> >
-by: James Page
Signed-off-by: Tycho Andersen
CC: Eric Biederman
CC: Pravin Shelar
CC: Justin Pettit
CC: "David S. Miller"
---
include/uapi/linux/genetlink.h | 1 +
net/netlink/genetlink.c| 6 --
net/openvswitch/datapath.c | 20 ++--
3 files changed,
-by: James Page
Signed-off-by: Tycho Andersen
CC: Eric Biederman
CC: Pravin Shelar
CC: Justin Pettit
CC: "David S. Miller"
---
net/openvswitch/datapath.c | 63 ++
1 file changed, 53 insertions(+), 10 deletions(-)
diff --git a/net/ope
Hi Eric,
Thanks for the review.
On Fri, Jan 29, 2016 at 08:29:55AM -0600, Eric W. Biederman wrote:
> Tycho Andersen writes:
>
> > Operations with the GENL_ADMIN_PERM flag fail permissions checks because
> > this flag means we call netlink_capable, which uses the init user n
parate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one
massive one
Reported-by: James Page
Signed-off-by: Tycho Andersen
CC: Eric Biederman
CC: Pravin Shelar
CC: Justin Pettit
CC: "David S. Miller"
---
include/uapi/linux/genetlink.h | 1 +
net/netlink/genetlink.c
On Wed, May 27, 2020 at 01:19:01PM +0200, Christian Brauner wrote:
> +void seccomp_filter_notify(const struct task_struct *tsk)
> +{
> + struct seccomp_filter *orig = tsk->seccomp.filter;
> +
> + while (orig && refcount_dec_and_test(&orig->live)) {
> + if (waitqueue_active(&orig
On Wed, May 27, 2020 at 02:43:49PM -0700, Kees Cook wrote:
> (While I'm here -- why can there be only one listener per task? The
> notifications are filter-specific, not task-specific?)
Not sure what you mean here?
> > To fix this, we introduce a new "live" reference counter that tracks the
> > l
On Wed, May 27, 2020 at 03:36:09PM -0700, Kees Cook wrote:
> On Wed, May 27, 2020 at 03:52:03PM -0600, Tycho Andersen wrote:
> > On Wed, May 27, 2020 at 02:43:49PM -0700, Kees Cook wrote:
> > > (While I'm here -- why can there be only one listener per task? The
> &g
On Sat, Jun 13, 2020 at 12:26:09AM -0700, Sargun Dhillon wrote:
> This introduces an extensibility mechanism to receive seccomp
> notifications. It uses read(2), as opposed to using an ioctl. The listener
> must be first configured to write the notification via the
> SECCOMP_IOCTL_NOTIF_CONFIG ioct
On Wed, Sep 30, 2020 at 09:03:36AM -0600, Tycho Andersen wrote:
> On Wed, Sep 30, 2020 at 01:07:38PM +0200, Michael Kerrisk (man-pages) wrote:
> >┌─┐
> >
On Wed, Sep 30, 2020 at 01:07:38PM +0200, Michael Kerrisk (man-pages) wrote:
>2. In order that the supervisor process can obtain notifications
> using the listening file descriptor, (a duplicate of) that
> file descriptor must be passed from the target process to t
301 - 400 of 573 matches
Mail list logo
