On Wed, Sep 30, 2020 at 10:34:51PM +0200, Michael Kerrisk (man-pages) wrote:
> Hi Tycho,
>
> Thanks for taking time to look at the page!
>
> On 9/30/20 5:03 PM, Tycho Andersen wrote:
> > On Wed, Sep 30, 2020 at 01:07:38PM +0200, Michael Kerrisk (man-pages) wrote:
> >&g
On Thu, Oct 01, 2020 at 01:11:33AM +0200, Jann Horn wrote:
> On Thu, Oct 1, 2020 at 1:03 AM Tycho Andersen wrote:
> > On Wed, Sep 30, 2020 at 10:34:51PM +0200, Michael Kerrisk (man-pages) wrote:
> > > On 9/30/20 5:03 PM, Tycho Andersen wrote:
> > > > On Wed, Se
On Thu, Oct 01, 2020 at 05:47:54PM +0200, Jann Horn via Containers wrote:
> On Thu, Oct 1, 2020 at 2:54 PM Christian Brauner
> wrote:
> > On Wed, Sep 30, 2020 at 05:53:46PM +0200, Jann Horn via Containers wrote:
> > > On Wed, Sep 30, 2020 at 1:07 PM Michael Kerrisk (man-pages)
> > > wrote:
> > >
On Thu, Oct 01, 2020 at 08:18:49PM +0200, Jann Horn wrote:
> On Thu, Oct 1, 2020 at 6:58 PM Tycho Andersen wrote:
> > On Thu, Oct 01, 2020 at 05:47:54PM +0200, Jann Horn via Containers wrote:
> > > On Thu, Oct 1, 2020 at 2:54 PM Christian Brauner
> > > wrote:
> &g
On Thu, Oct 01, 2020 at 07:02:31PM +0200, Mickaël Salaün wrote:
> --- a/include/uapi/asm-generic/unistd.h
> +++ b/include/uapi/asm-generic/unistd.h
> @@ -859,9 +859,11 @@ __SYSCALL(__NR_openat2, sys_openat2)
> __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
> #define __NR_faccessat2 439
> __SYSCALL
On Thu, Oct 01, 2020 at 02:06:10PM -0700, Sargun Dhillon wrote:
> On Wed, Sep 30, 2020 at 4:07 AM Michael Kerrisk (man-pages)
> wrote:
> >
> > Hi Tycho, Sargun (and all),
> >
> > I knew it would be a big ask, but below is kind of the manual page
> > I was hoping you might write [1] for the seccomp
On Fri, Sep 25, 2020 at 11:31:14AM +0100, Mark Rutland wrote:
> Hi,
>
> Sorry to come to this so late; I've been meaning to provide feedback on
> this for a while but have been indisposed for a bit due to an injury.
>
> On Fri, Sep 25, 2020 at 11:50:29AM +0200, Peter Zijlstra wrote:
> > On Fri, S
On Fri, May 29, 2020 at 12:41:51AM -0700, Kees Cook wrote:
> On Thu, May 28, 2020 at 04:08:58AM -0700, Sargun Dhillon wrote:
> > + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
> > +
> > + nextid = req.id + 1;
> > +
> > + /* Wait for getppid to be called for the second time
On Thu, May 28, 2020 at 04:08:55AM -0700, Sargun Dhillon wrote:
> This adds the capability for seccomp notifier listeners to add file
> descriptors
Modulo the changes suggested by others, you can consider this series:
Reviewed-by: Tycho Andersen
On Fri, May 29, 2020 at 06:46:07PM +, Sargun Dhillon wrote:
> On Fri, May 29, 2020 at 12:41:51AM -0700, Kees Cook wrote:
> > On Thu, May 28, 2020 at 04:08:58AM -0700, Sargun Dhillon wrote:
> > > + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
> > > +
> > > + nextid = req.id +
On Mon, May 25, 2020 at 02:18:26PM +, guo...@kernel.org wrote:
> From: Guo Ren
>
> Obviously, there is no need to recover a0-a7 in reject path.
>
> Previous modification is from commit af33d243 by Tycho, to
> fixup seccomp reject syscall code path.
Doesn't this suffer from the same problem,
On Tue, May 26, 2020 at 08:29:45AM +0800, Guo Ren wrote:
> Hi Tycho,
>
> On Mon, May 25, 2020 at 10:36 PM Tycho Andersen wrote:
> >
> > On Mon, May 25, 2020 at 02:18:26PM +, guo...@kernel.org wrote:
> > > From: Guo Ren
> > >
> > > Obviously,
Cc: Kees Cook ,
> Cc: Jann Horn ,
> Cc: Robert Sesek ,
> Cc: Chris Palmer
> Cc: Christian Brauner
> Cc: Tycho Andersen
> ---
> kernel/seccomp.c | 38 +-
> 1 file changed, 21 insertions(+), 17 deletions(-)
>
> diff --git a/kerne
On Sun, May 24, 2020 at 04:39:39PM -0700, Sargun Dhillon wrote:
> +static void seccomp_handle_addfd(struct seccomp_kaddfd *addfd)
> +{
> + int ret;
> +
> + /*
> + * Remove the notification, and reset the list pointers, indicating
> + * that it has been handled.
> + */
> +
On Sun, May 24, 2020 at 05:57:32PM -0600, Tycho Andersen wrote:
> On Sun, May 24, 2020 at 04:39:39PM -0700, Sargun Dhillon wrote:
> > +static void seccomp_handle_addfd(struct seccomp_kaddfd *addfd)
> > +{
> > + int ret;
> > +
> > + /*
> > +* Remo
On Tue, Sep 01, 2020 at 08:08:13AM -0700, Kees Cook wrote:
> On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > >
("seccomp: allow TSYNC and USER_NOTIF together")
Reported-by: syzbot+3ad9614a12f80994c...@syzkaller.appspotmail.com
Signed-off-by: Tycho Andersen
---
kernel/seccomp.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp
I've changed my e-mail address to tycho.pizza, so let's reflect that in
these files.
Signed-off-by: Tycho Andersen
---
.mailmap| 1 +
MAINTAINERS | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/.mailmap b/.mailmap
index 332c7833057f..50096b96c85d 100644
---
Hi Kees,
On Tue, Sep 01, 2020 at 07:40:17PM -0600, Tycho Andersen wrote:
> I've changed my e-mail address to tycho.pizza, so let's reflect that in
> these files.
Hopefully you can pick this one up too? :D
Thanks,
Tycho
le won't be
able to install a filter if the file allocation fails for some reason, even
if they subsequently should be able to.
To fix this, let's hoist this free+null into its own little helper and use
it.
Reported-by: Kees Cook
Reported-by: Christian Brauner
Signed-off-by: Tycho
On Wed, Sep 02, 2020 at 11:08:49AM +0200, Christian Brauner wrote:
> On Tue, Sep 01, 2020 at 07:40:16PM -0600, Tycho Andersen wrote:
> > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > the listener fd, then check to see if we can actually
to install a filter with TSYNC and NEW_LISTENER turned on. Does
the patch below look reasonable?
I didn't send it separately since I'm in the process of switching my
e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
that that e-mail really is me too :). I can send it the nor
On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > syzbot has found a reproducer for the following issue on:
> > >
> > >
On Mon, Oct 26, 2020 at 03:30:29PM +0100, Michael Kerrisk (man-pages) wrote:
> Hi Tycho,
>
> Thanks for getting back to me.
>
> On Mon, 26 Oct 2020 at 14:54, Tycho Andersen wrote:
> >
> > On Mon, Oct 26, 2020 at 10:55:04AM +0100, Michael Kerrisk (man-pages) wrote:
&
On Mon, Oct 26, 2020 at 10:55:04AM +0100, Michael Kerrisk (man-pages) wrote:
> Hi all (and especially Tycho and Sargun),
>
> Following review comments on the first draft (thanks to Jann, Kees,
> Christian and Tycho), I've made a lot of changes to this page.
> I've also added a few FIXMEs relating
On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote:
> Running the seccomp tests as a regular user shouldn't just fail tests
> that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
> detect those cases and SKIP them.
But if we unshare NEWUSER at the same time as NEWPID, shouldn'
gt; Signed-off-by: Kees Cook
Reviewed-by: Tycho Andersen
On Fri, Jul 10, 2020 at 04:01:06PM -0700, Kees Cook wrote:
> Running the seccomp tests as a regular user shouldn't just fail tests
> that require CAP_SYS_ADMIN (for getting a PID namespace). Instead,
> detect those cases and SKIP them. Additionally, gracefully SKIP missing
> CONFIG_USER_NS (and add
On Mon, Sep 21, 2020 at 10:27:56AM -0500, YiFei Zhu wrote:
> On Mon, Sep 21, 2020 at 8:51 AM Tycho Andersen wrote:
> > One problem with a kernel config setting is that it's for all tasks.
> > While docker and systemd may make decsisions based on syscall number,
> > o
On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote:
> It is not permitted to unset the audit container identifier.
> A child inherits its parent's audit container identifier.
...
> /**
> + * audit_set_contid - set current task's audit contid
> + * @contid: contid value
> + *
> +
On Wed, May 29, 2019 at 11:29:05AM -0400, Paul Moore wrote:
> On Wed, May 29, 2019 at 10:57 AM Tycho Andersen wrote:
> >
> > On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote:
> > > It is not permitted to unset the audit container identifier.
> > &
On Thu, Apr 11, 2019 at 01:50:43PM -0400, Joel Fernandes (Google) wrote:
> Other than verifying pidfd based polling, the tests make sure that
> wait semantics are preserved with the pidfd poll. Notably the 2 cases:
> 1. If a thread group leader exits while threads still there, then no
>pidfd po
the delay, thanks for looking at this!
Reviewed-by: Tycho Andersen
On Fri, Apr 12, 2019 at 11:07:11AM -0600, shuah wrote:
> On 4/12/19 9:25 AM, Tycho Andersen wrote:
> > On Thu, Apr 11, 2019 at 04:56:31PM -0700, Kees Cook wrote:
> > > When running without USERNS or PIDNS the seccomp test would hang since
> > > it was waiting forever f
On Mon, Jun 15, 2020 at 08:25:23PM -0700, Kees Cook wrote:
> This patch is based on discussions[1] with Sargun Dhillon, Christian
> Brauner, and David Laight. Instead of building size into the addfd
> structure, make it a function of the ioctl command (which is how sizes are
> normally passed to io
er XFAIL.
>
> Signed-off-by: Kees Cook
Reviewed-by: Tycho Andersen
On Mon, Jun 15, 2020 at 08:25:21PM -0700, Kees Cook wrote:
> The seccomp tests are a bit noisy without CONFIG_CHECKPOINT_RESTORE (due
> to missing the kcmp() syscall). The seccomp tests are more accurate with
> kcmp(), but it's not strictly required. Refactor the tests to use
> alternatives (compar
On Tue, Jun 16, 2020 at 09:05:29AM -0700, Kees Cook wrote:
> On Tue, Jun 16, 2020 at 08:55:46AM -0600, Tycho Andersen wrote:
> > On Mon, Jun 15, 2020 at 08:25:23PM -0700, Kees Cook wrote:
> > > This patch is based on discussions[1] with Sargun Dhillon, Christian
> > >
On Sun, May 17, 2020 at 09:21:56PM +1000, Aleksa Sarai wrote:
> On 2020-05-17, Christian Brauner wrote:
> > Or... And that's more invasive but ultimately cleaner we v2 the whole
> > thing so e.g. SECCOMP_IOCTL_NOTIF_RECV2, SECCOMP_IOCTL_NOTIF_SEND2, and
> > embedd the size argument in the structs.
On Sun, May 17, 2020 at 04:33:11PM +0200, Christian Brauner wrote:
> On Sun, May 17, 2020 at 08:23:16AM -0600, Tycho Andersen wrote:
> > On Sun, May 17, 2020 at 09:21:56PM +1000, Aleksa Sarai wrote:
> > > On 2020-05-17, Christian Brauner wrote:
> > > > Or..
On Sun, May 17, 2020 at 08:46:03AM -0600, Tycho Andersen wrote:
> On Sun, May 17, 2020 at 04:33:11PM +0200, Christian Brauner wrote:
> > struct seccomp_notif2 {
> > __u32 notif_size;
> > __u64 id;
> > __u32 pid;
> > __u32 flags;
> >
On Mon, May 18, 2020 at 02:53:25PM +0200, Christian Brauner wrote:
> On Sun, May 17, 2020 at 09:02:15AM -0600, Tycho Andersen wrote:
> > On Sun, May 17, 2020 at 08:46:03AM -0600, Tycho Andersen wrote:
> > > On Sun, May 17, 2020 at 04:33:11PM +0200, Christian Brauner wro
On Mon, May 18, 2020 at 02:45:00PM +0200, Christian Brauner wrote:
> On Mon, May 18, 2020 at 08:32:25AM +, Sargun Dhillon wrote:
> > On Sun, May 17, 2020 at 02:30:57PM -0700, Kees Cook wrote:
> > > On Sun, May 17, 2020 at 09:02:15AM -0600, Tycho Andersen wrote:
> > >
instruction buffer as
instructions are emittted and then comparing that to a hash at the end of
the JIT compile after the buffer has been marked read-only.
Signed-off-by: Tycho Andersen
CC: Daniel Borkmann
CC: Alexei Starovoitov
CC: Kees Cook
CC: Mickaël Salaün
---
arch/x86/Kconfig| 11
Hi Kees,
On Tue, Apr 04, 2017 at 03:17:57PM -0700, Kees Cook wrote:
> On Tue, Apr 4, 2017 at 3:08 PM, Tycho Andersen wrote:
> > The goal of this patch is to protect the JIT against an attacker with a
> > write-in-memory primitive. The JIT allocates a buffer which will eventually
&
Hi Guilherme,
On Thu, May 11, 2017 at 10:59:56AM -0300, Guilherme Magalhaes wrote:
> +static int ima_open_namespaces(struct inode *inode, struct file *filp)
> +{
> + if (!(filp->f_flags & O_WRONLY))
> + return -EACCES;
> +
> + if (!capable(CAP_SYS_ADMIN))
> + return
user values are
explicitly ignored (hunk 1) if the symbols are not visible.
It's not clear to me why hunk 1 exists. I'm sure it solve some problem, but
I'm not sure why we would ever want to discard user input values, and
causes a problem exactly as the comment describes.
Signed-off-by
Hi Geert,
On Fri, May 19, 2017 at 07:29:05PM +0200, Geert Uytterhoeven wrote:
> Hi Tycho,
>
> On Fri, May 19, 2017 at 5:08 PM, Tycho Andersen wrote:
> > ...regardless of visibility.
> >
> > When a symbol that is not visible by default (e.g. PNFS_FLEXFILE_LAYOUT)
>
On Thu, Jun 29, 2017 at 01:54:13PM -0400, Rik van Riel wrote:
> On Thu, 2017-06-29 at 10:47 -0700, Kees Cook wrote:
> > On Thu, Jun 29, 2017 at 10:05 AM, Christoph Lameter
> > wrote:
> > > On Sun, 25 Jun 2017, Kees Cook wrote:
> > >
> > > > The difference gets lost in the noise, but if the above
Let's test that we get the flags correctly, and that we preserve the filter
index across the ptrace(PTRACE_SECCOMP_GET_METADATA) correctly.
Signed-off-by: Tycho Andersen
CC: Kees Cook
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 61 +++
1 file change
evin"
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Oleg Nesterov
---
include/uapi/linux/ptrace.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
index e46d82b91166..d5a1b8a492b9 100644
--- a/include/uapi/lin
Hi Kees,
Here are a couple of tweaks/fixes people suggested to the get_metadata
functionality, plus a test to ensure that things work the way they're supposed
to and stay that way.
Cheers,
Tycho
Tycho Andersen (3):
seccomp, ptrace: switch get_metadata types to arch independent
p
roduced in commit
26500475ac1b ("ptrace, seccomp: add support for retrieving seccomp
metadata") in 4.16-rc2, so should be safe to change if merged before then.
Reported-by: Eugene Syromiatnikov
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Oleg Nesterov
---
kernel/seccomp.c | 6 -
On Tue, Feb 20, 2018 at 10:30:52PM +0300, Dmitry V. Levin wrote:
> > +struct seccomp_metadata {
> > + unsigned long filter_off; /* Input: which filter */
> > + unsigned int flags; /* Output: filter's flags */
> > +};
>
> This "unsigned long" field is unacceptable unless you a
On Tue, Feb 20, 2018 at 09:13:28PM +0100, Eugene Syromiatnikov wrote:
> On Tue, Nov 14, 2017 at 07:00:19PM -0700, Tycho Andersen wrote:
> > With the new SECCOMP_FILTER_FLAG_LOG, we need to be able to extract these
> > flags for checkpoint restore, since they describe the st
Hey Kees,
Thanks for taking a look!
On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote:
> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:
> > This patch introduces a means for syscalls matched in seccomp to notify
> > some other task that a particular filter has
On Tue, Feb 13, 2018 at 01:29:23PM -0800, Kees Cook wrote:
> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:
> > Hoist out the nth filter resolving logic that ptrace uses into a new
> > function. We'll use this in the next patch to implement the new
> > PTRAC
On Tue, Feb 13, 2018 at 01:32:26PM -0800, Kees Cook wrote:
> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least two reasons
> &g
On Wed, Feb 14, 2018 at 05:19:52PM +, Andy Lutomirski wrote:
> On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote:
> > Hey Kees,
> >
> > Thanks for taking a look!
> >
> > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote:
> >> On Sun, Feb
On Wed, Feb 14, 2018 at 11:48:38AM -0800, Kees Cook wrote:
> On Wed, Feb 14, 2018 at 11:06 AM, Laura Abbott wrote:
> > fixed. Modules yes are not fully protected. The conclusion from past
> > experience has been that we cannot safely break down larger page sizes
> > at runtime like x86 does. We co
On Wed, Feb 14, 2018 at 02:50:37PM -0800, Kees Cook wrote:
> I'm sure I'm not remotely the first person to bring this up, but my
> attempts at searches for this have failed.
>
> Thoughts?
There is mmtests: https://github.com/gormanm/mmtests which looks like
it has kernel build and a bunch of othe
Hi Tobin,
On Mon, Feb 19, 2018 at 01:50:49PM +1100, Tobin C. Harding wrote:
> +sub already_scanned
> +{
> + my ($filename) = @_;
> + state %seen;
> +
> + foreach (@once_only) {
> + if (/^$filename$/) {
> + if ($seen{$_} == 1) {
This should be something
Hi Tobin,
On Mon, Feb 19, 2018 at 01:50:47PM +1100, Tobin C. Harding wrote:
> -# Do not parse these files under any subdirectory.
> -my @skip_parse_files_any = ('0',
> - '1',
> - '2',
> - 'pagemap',
> -
not be read by the tracer.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
arch/Kconfig | 7 +
includ
ed on previous suggestions from Oleg.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Biederman
CC: "Serge E. Hallyn"
CC: Christian Brauner
CC: Tyler Hicks
CC: Akihiro Suda
---
kernel
re the fd that receives notifications via ptrace (the method in patch 1
poses some problems). Other suggestions for how to acquire one of these fds
would be welcome.
Take a close look at the synchronization. I think I've got it right, but I
probably don't :)
Thanks!
Tycho Andersen (3):
lters block sendmsg() and socket(); if the
task installs a filter which blocks these calls, there's no way with
SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task.
Signed-off-by: Tycho Andersen
CC: Kees Cook
CC: Andy Lutomirski
CC: Oleg Nesterov
CC: Eric W. Bie
Hi Andy,
On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote:
> > The actual implementation of this is fairly small, although getting the
> > synchronization right was/is slightly complex. Also worth noting that there
> > is one race still present:
> >
> > 1. a task does a SECCOMP_RE
On Sun, Feb 04, 2018 at 08:33:25PM +, Andy Lutomirski wrote:
> On Sun, Feb 4, 2018 at 8:01 PM, Tycho Andersen wrote:
> > Hi Andy,
> >
> > On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote:
> >> > The actual implementation of this is f
Hi Tobin,
On Tue, Feb 27, 2018 at 03:45:09PM +1100, Tobin C. Harding wrote:
> When the system is idle it is likely that most files under /proc/PID
> will be identical for various processes. Scanning _all_ the PIDs under
> /proc is unnecessary and implies that we are thoroughly scanning /proc.
> T
On Wed, Nov 15, 2017 at 06:58:35AM -0800, Matthew Wilcox wrote:
> On Tue, Nov 14, 2017 at 11:00:20PM -0800, Dave Hansen wrote:
> > On 11/14/2017 07:44 PM, Matthew Wilcox wrote:
> > > We don't need to kmap in order to access MOVABLE allocations. kmap is
> > > only needed for HIGHMEM allocations. S
From: Juerg Haefliger
This test simply reads from userspace memory via the kernel's linear
map.
hugepages is only supported on x86 right now, hence the ifdef.
Signed-off-by: Juerg Haefliger
Signed-off-by: Tycho Andersen
Tested-by: Marco Benatto
---
drivers/misc/Makefile | 1 +
dr
From: Juerg Haefliger
Pages that are unmapped by XPFO need to be mapped before and unmapped
again after (to restore the original state) the __dma_{map,unmap}_area()
operations to prevent fatal page faults.
Signed-off-by: Juerg Haefliger
Signed-off-by: Tycho Andersen
---
arch/arm64/include
We need someting like this for testing XPFO. Since it's architecture
specific, putting it in the test code is slightly awkward, so let's make it
an arch-specific symbol and export it for use in LKDTM.
Signed-off-by: Tycho Andersen
Tested-by: Marco Benatto
---
arch/arm64/mm/x
: Add __flush_tlb_one()
arm64/mm: Add support for XPFO
arm64/mm: Disable section mappings if XPFO is enabled
arm64/mm: Don't flush the data cache if the page is unmapped by XPFO
arm64/mm: Add support for XPFO to swiotlb
lkdtm: Add test for XPFO
Tycho Andersen (2):
mm: add MAP_HUGETLB
From: Juerg Haefliger
If the page is unmapped by XPFO, a data cache flush results in a fatal
page fault. So don't flush in that case.
Signed-off-by: Juerg Haefliger
Tested-by: Tycho Andersen
---
arch/arm64/mm/flush.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --
From: Juerg Haefliger
XPFO (eXclusive Page Frame Ownership) doesn't support section mappings
yet, so disable it if XPFO is turned on.
Signed-off-by: Juerg Haefliger
Tested-by: Tycho Andersen
---
arch/arm64/mm/mmu.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
f
Suggested-by: Vasileios P. Kemerlis
Signed-off-by: Juerg Haefliger
Signed-off-by: Tycho Andersen
Signed-off-by: Marco Benatto
---
Documentation/admin-guide/kernel-parameters.txt | 2 +
arch/x86/Kconfig| 1 +
arch/x86/include/asm/pgtable.h | 23 +
From: Juerg Haefliger
Signed-off-by: Juerg Haefliger
Tested-by: Tycho Andersen
---
include/linux/xpfo.h | 4
lib/swiotlb.c| 3 ++-
mm/xpfo.c| 9 +
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/include/linux/xpfo.h b/include/linux/xpfo.h
index
From: Juerg Haefliger
Add a hook for flushing a single TLB entry on arm64.
Signed-off-by: Juerg Haefliger
Tested-by: Tycho Andersen
---
arch/arm64/include/asm/tlbflush.h | 8
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/include/asm/tlbflush.h
b/arch/arm64/include/asm
: Tycho Andersen
---
arch/arm64/Kconfig | 1 +
arch/arm64/mm/Makefile | 2 ++
arch/arm64/mm/xpfo.c | 64 ++
3 files changed, 67 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index dfd908630631..2ddae41e0793 100644
--- a
vm_mmap is exported, which means kernel modules can use it. In particular,
for testing XPFO support, we want to use it with the MAP_HUGETLB flag, so
let's support it via vm_mmap.
Signed-off-by: Tycho Andersen
Tested-by: Marco Benatto
---
include/linux/mm.h | 2 ++
mm/mmap.c
On Wed, Aug 09, 2017 at 12:01:53PM -0700, Kees Cook wrote:
> This series is the result of Fabricio and I going around a few times
> on possible solutions for finding a way to enhance RET_KILL to kill
> the process group. There's a lot of ways this could be done, but I
> wanted something that felt c
Hey Tyler :)
On Wed, Aug 09, 2017 at 03:33:28PM -0500, Tyler Hicks wrote:
> Hey Tycho!
>
> On 08/09/2017 03:22 PM, Tycho Andersen wrote:
> > On Wed, Aug 09, 2017 at 12:01:53PM -0700, Kees Cook wrote:
> >> This series is the result of Fabricio and I going around a fe
On Thu, Aug 10, 2017 at 09:01:06AM -0400, Konrad Rzeszutek Wilk wrote:
> On Wed, Aug 09, 2017 at 02:07:48PM -0600, Tycho Andersen wrote:
> > +inline bool xpfo_page_is_unmapped(struct page *page)
> > +{
> > + if (!static_branch_unlikely(&xpfo_inited))
>
Hi Konrad,
Thanks for taking a look!
On Thu, Aug 10, 2017 at 09:11:12AM -0400, Konrad Rzeszutek Wilk wrote:
> On Wed, Aug 09, 2017 at 02:07:53PM -0600, Tycho Andersen wrote:
> > +
> > +inline void xpfo_dma_map_unmap_area(bool map, const void *addr, size_t
> > size,
>
Hi Laura,
On Fri, Aug 11, 2017 at 11:01:46AM -0700, Laura Abbott wrote:
> On 08/09/2017 01:07 PM, Tycho Andersen wrote:
> > From: Juerg Haefliger
> >
> > Enable support for eXclusive Page Frame Ownership (XPFO) for arm64 and
> > provide a hook for updating a sin
Hi Laura,
On Fri, Aug 11, 2017 at 10:25:14AM -0700, Laura Abbott wrote:
> On 08/09/2017 01:07 PM, Tycho Andersen wrote:
> > From: Juerg Haefliger
> >
> > XPFO (eXclusive Page Frame Ownership) doesn't support section mappings
> > yet, so disable it if XPFO is t
On Fri, Aug 11, 2017 at 03:13:02PM -0600, Tycho Andersen wrote:
> You're suggesting something like this instead? Seems to work fine.
And in fact, using this patch instead means that booting on 4k pages
works too... I guess because NO_BLOCK_MAPPINGS is looked at in a few
other places tha
On Tue, Sep 12, 2017 at 04:05:22PM +0800, Yisheng Xie wrote:
>
>
> On 2017/9/12 0:03, Juerg Haefliger wrote:
> >
> >
> > On 09/11/2017 04:50 PM, Tycho Andersen wrote:
> >> Hi Yisheng,
> >>
> >> On Mon, Sep 11, 2017 at 03:24:09PM +0800, Y
ead succeeds. So, I think we need
to include this zeroing condition in xpfo_alloc_pages(), something like the
patch below. Unfortunately, this fails to boot for me, probably for an
unrelated reason that I'll look into.
Thanks a lot!
Tycho
>From bfc21a6438cf8c56741af94cac939f1b0f63752c Mon
ss
Thanks for this! I think we also need to drop the old definition,
something like the below. Can you fold this in or should I send it
separately?
Cheers,
Tycho
>From 410a0c15c354f1ba387bdac6837d0a2031744c56 Mon Sep 17 00:00:00 2001
From: Tycho Andersen
Date: Thu, 14 Sep 2017 08:57:30 -07
Hi Mark,
On Thu, Aug 24, 2017 at 04:45:19PM +0100, Mark Rutland wrote:
> On Wed, Aug 23, 2017 at 11:13:02AM -0600, Tycho Andersen wrote:
> > On Wed, Aug 23, 2017 at 06:04:43PM +0100, Mark Rutland wrote:
> > > On Wed, Aug 23, 2017 at 10:58:42AM -0600, Tycho Andersen wrot
On Wed, Aug 30, 2017 at 07:31:25AM +0200, Juerg Haefliger wrote:
>
>
> On 08/23/2017 07:04 PM, Mark Rutland wrote:
> > On Wed, Aug 23, 2017 at 10:58:42AM -0600, Tycho Andersen wrote:
> >> Hi Mark,
> >>
> >> On Mon, Aug 14, 2017 at 05:50:47PM +0100, Mar
Hi Mark,
On Mon, Aug 14, 2017 at 05:50:47PM +0100, Mark Rutland wrote:
> That said, is there any reason not to use flush_tlb_kernel_range()
> directly?
So it turns out that there is a difference between __flush_tlb_one() and
flush_tlb_kernel_range() on x86: flush_tlb_kernel_range() flushes all th
On Wed, Aug 23, 2017 at 06:04:43PM +0100, Mark Rutland wrote:
> On Wed, Aug 23, 2017 at 10:58:42AM -0600, Tycho Andersen wrote:
> > Hi Mark,
> >
> > On Mon, Aug 14, 2017 at 05:50:47PM +0100, Mark Rutland wrote:
> > > That said, is there any reason not
Hi Mark,
On Thu, Sep 14, 2017 at 07:34:02PM +0100, Mark Rutland wrote:
> On Thu, Sep 07, 2017 at 11:36:08AM -0600, Tycho Andersen wrote:
> > We need someting like this for testing XPFO. Since it's architecture
> > specific, putting it in the test code is slightly awkward, so
Hi Mark,
On Thu, Sep 14, 2017 at 07:22:08PM +0100, Mark Rutland wrote:
> Hi,
>
> On Thu, Sep 07, 2017 at 11:36:03AM -0600, Tycho Andersen wrote:
> > From: Juerg Haefliger
> >
> > Enable support for eXclusive Page Frame Ownership (XPFO) for arm64 and
> > pro
On Thu, Sep 14, 2017 at 07:25:56PM +0100, Mark Rutland wrote:
> On Thu, Sep 07, 2017 at 11:36:05AM -0600, Tycho Andersen wrote:
> > From: Juerg Haefliger
> >
> > If the page is unmapped by XPFO, a data cache flush results in a fatal
> > page fault, so let's tempo
With the new SECCOMP_FILTER_FLAG_LOG, we need to be able to extract these
flags for checkpoint restore, since they describe the state of a filter.
So, let's add PTRACE_SECCOMP_GET_FLAGS, similar to ..._GET_FILTER, which
returns the flags of the nth filter.
Signed-off-by: Tycho Andersen
CC:
401 - 500 of 573 matches
Mail list logo
