arm64: add seccomp support

secure_computing() is called first in syscall_trace_enter() so that a system call will be aborted quickly without doing succeeding syscall tracing if seccomp rules want to deny that system call. On compat task, syscall numbers for system calls allowed in seccomp mode 1 are different from those on normal tasks, and so _NR_seccomp_xxx_32's need to be redefined. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Will Deacon <will.deacon@arm.com>
author: AKASHI Takahiro <takahiro.akashi@linaro.org> 2014-11-28 00:26:39 -0500
committer: Will Deacon <will.deacon@arm.com> 2014-11-28 05:24:59 -0500
commit: a1ae65b219416a72c15577bd4c8c11174fffbb8b (patch)
tree: 653e0ac5fd6ffd3beb5dc78755a9f89602bc5b56 /arch/arm64/kernel/ptrace.c
parent: cc5e9097c9aad6b186a568c534e26746d6bfa483 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index f576781d8d3b..d882b833dbdb 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -27,6 +27,7 @@
 #include <linux/smp.h>
 #include <linux/ptrace.h>
 #include <linux/user.h>
+#include <linux/seccomp.h>
 #include <linux/security.h>
 #include <linux/init.h>
 #include <linux/signal.h>
@@ -1149,6 +1150,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 {
+        /* Do the secure computing check first; failures should be fast. */
+        if (secure_computing() == -1)
+                return -1;
        if (test_thread_flag(TIF_SYSCALL_TRACE))
                tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
author	AKASHI Takahiro <takahiro.akashi@linaro.org>	2014-11-28 00:26:39 -0500
committer	Will Deacon <will.deacon@arm.com>	2014-11-28 05:24:59 -0500
commit	a1ae65b219416a72c15577bd4c8c11174fffbb8b (patch)
tree	653e0ac5fd6ffd3beb5dc78755a9f89602bc5b56 /arch/arm64/kernel/ptrace.c
parent	cc5e9097c9aad6b186a568c534e26746d6bfa483 (diff)