diff options
| author | Kees Cook <keescook@chromium.org> | 2017-08-11 15:53:18 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2017-08-14 16:46:48 -0400 |
| commit | fd76875ca289a3d4722f266fd2d5532a27083903 (patch) | |
| tree | a2bfbf13137e9104f7b262b4f208a51aa8e2a3dc | |
| parent | 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 (diff) | |
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
In preparation for adding SECCOMP_RET_KILL_PROCESS, rename SECCOMP_RET_KILL
to the more accurate SECCOMP_RET_KILL_THREAD.
The existing selftest values are intentionally left as SECCOMP_RET_KILL
just to be sure we're exercising the alias.
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | Documentation/networking/filter.txt | 2 | ||||
| -rw-r--r-- | Documentation/userspace-api/seccomp_filter.rst | 4 | ||||
| -rw-r--r-- | include/uapi/linux/seccomp.h | 3 | ||||
| -rw-r--r-- | kernel/seccomp.c | 39 | ||||
| -rw-r--r-- | samples/seccomp/bpf-direct.c | 4 | ||||
| -rw-r--r-- | samples/seccomp/bpf-helper.h | 2 | ||||
| -rw-r--r-- | tools/testing/selftests/seccomp/seccomp_bpf.c | 17 |
7 files changed, 39 insertions, 32 deletions
diff --git a/Documentation/networking/filter.txt b/Documentation/networking/filter.txt index b69b205501de..73aa0f12156d 100644 --- a/Documentation/networking/filter.txt +++ b/Documentation/networking/filter.txt | |||
| @@ -337,7 +337,7 @@ Examples for low-level BPF: | |||
| 337 | jeq #14, good /* __NR_rt_sigprocmask */ | 337 | jeq #14, good /* __NR_rt_sigprocmask */ |
| 338 | jeq #13, good /* __NR_rt_sigaction */ | 338 | jeq #13, good /* __NR_rt_sigaction */ |
| 339 | jeq #35, good /* __NR_nanosleep */ | 339 | jeq #35, good /* __NR_nanosleep */ |
| 340 | bad: ret #0 /* SECCOMP_RET_KILL */ | 340 | bad: ret #0 /* SECCOMP_RET_KILL_THREAD */ |
| 341 | good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */ | 341 | good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */ |
| 342 | 342 | ||
| 343 | The above example code can be placed into a file (here called "foo"), and | 343 | The above example code can be placed into a file (here called "foo"), and |
diff --git a/Documentation/userspace-api/seccomp_filter.rst b/Documentation/userspace-api/seccomp_filter.rst index f4977357daf2..d76396f2d8ed 100644 --- a/Documentation/userspace-api/seccomp_filter.rst +++ b/Documentation/userspace-api/seccomp_filter.rst | |||
| @@ -87,11 +87,11 @@ Return values | |||
| 87 | A seccomp filter may return any of the following values. If multiple | 87 | A seccomp filter may return any of the following values. If multiple |
| 88 | filters exist, the return value for the evaluation of a given system | 88 | filters exist, the return value for the evaluation of a given system |
| 89 | call will always use the highest precedent value. (For example, | 89 | call will always use the highest precedent value. (For example, |
| 90 | ``SECCOMP_RET_KILL`` will always take precedence.) | 90 | ``SECCOMP_RET_KILL_THREAD`` will always take precedence.) |
| 91 | 91 | ||
| 92 | In precedence order, they are: | 92 | In precedence order, they are: |
| 93 | 93 | ||
| 94 | ``SECCOMP_RET_KILL``: | 94 | ``SECCOMP_RET_KILL_THREAD``: |
| 95 | Results in the task exiting immediately without executing the | 95 | Results in the task exiting immediately without executing the |
| 96 | system call. The exit status of the task (``status & 0x7f``) will | 96 | system call. The exit status of the task (``status & 0x7f``) will |
| 97 | be ``SIGSYS``, not ``SIGKILL``. | 97 | be ``SIGSYS``, not ``SIGKILL``. |
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index f94433263e4b..5a03f699eb17 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h | |||
| @@ -27,7 +27,8 @@ | |||
| 27 | * The ordering ensures that a min_t() over composed return values always | 27 | * The ordering ensures that a min_t() over composed return values always |
| 28 | * selects the least permissive choice. | 28 | * selects the least permissive choice. |
| 29 | */ | 29 | */ |
| 30 | #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ | 30 | #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ |
| 31 | #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD | ||
| 31 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ | 32 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ |
| 32 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ | 33 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ |
| 33 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ | 34 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ |
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 59cde2ed3b92..95ac54cff00f 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -192,7 +192,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd, | |||
| 192 | 192 | ||
| 193 | /* Ensure unexpected behavior doesn't result in failing open. */ | 193 | /* Ensure unexpected behavior doesn't result in failing open. */ |
| 194 | if (unlikely(WARN_ON(f == NULL))) | 194 | if (unlikely(WARN_ON(f == NULL))) |
| 195 | return SECCOMP_RET_KILL; | 195 | return SECCOMP_RET_KILL_THREAD; |
| 196 | 196 | ||
| 197 | if (!sd) { | 197 | if (!sd) { |
| 198 | populate_seccomp_data(&sd_local); | 198 | populate_seccomp_data(&sd_local); |
| @@ -529,15 +529,17 @@ static void seccomp_send_sigsys(int syscall, int reason) | |||
| 529 | #endif /* CONFIG_SECCOMP_FILTER */ | 529 | #endif /* CONFIG_SECCOMP_FILTER */ |
| 530 | 530 | ||
| 531 | /* For use with seccomp_actions_logged */ | 531 | /* For use with seccomp_actions_logged */ |
| 532 | #define SECCOMP_LOG_KILL (1 << 0) | 532 | #define SECCOMP_LOG_KILL_THREAD (1 << 0) |
| 533 | #define SECCOMP_LOG_TRAP (1 << 2) | 533 | #define SECCOMP_LOG_TRAP (1 << 2) |
| 534 | #define SECCOMP_LOG_ERRNO (1 << 3) | 534 | #define SECCOMP_LOG_ERRNO (1 << 3) |
| 535 | #define SECCOMP_LOG_TRACE (1 << 4) | 535 | #define SECCOMP_LOG_TRACE (1 << 4) |
| 536 | #define SECCOMP_LOG_LOG (1 << 5) | 536 | #define SECCOMP_LOG_LOG (1 << 5) |
| 537 | #define SECCOMP_LOG_ALLOW (1 << 6) | 537 | #define SECCOMP_LOG_ALLOW (1 << 6) |
| 538 | 538 | ||
| 539 | static u32 seccomp_actions_logged = SECCOMP_LOG_KILL | SECCOMP_LOG_TRAP | | 539 | static u32 seccomp_actions_logged = SECCOMP_LOG_KILL_THREAD | |
| 540 | SECCOMP_LOG_ERRNO | SECCOMP_LOG_TRACE | | 540 | SECCOMP_LOG_TRAP | |
| 541 | SECCOMP_LOG_ERRNO | | ||
| 542 | SECCOMP_LOG_TRACE | | ||
| 541 | SECCOMP_LOG_LOG; | 543 | SECCOMP_LOG_LOG; |
| 542 | 544 | ||
| 543 | static inline void seccomp_log(unsigned long syscall, long signr, u32 action, | 545 | static inline void seccomp_log(unsigned long syscall, long signr, u32 action, |
| @@ -560,13 +562,13 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action, | |||
| 560 | case SECCOMP_RET_LOG: | 562 | case SECCOMP_RET_LOG: |
| 561 | log = seccomp_actions_logged & SECCOMP_LOG_LOG; | 563 | log = seccomp_actions_logged & SECCOMP_LOG_LOG; |
| 562 | break; | 564 | break; |
| 563 | case SECCOMP_RET_KILL: | 565 | case SECCOMP_RET_KILL_THREAD: |
| 564 | default: | 566 | default: |
| 565 | log = seccomp_actions_logged & SECCOMP_LOG_KILL; | 567 | log = seccomp_actions_logged & SECCOMP_LOG_KILL_THREAD; |
| 566 | } | 568 | } |
| 567 | 569 | ||
| 568 | /* | 570 | /* |
| 569 | * Force an audit message to be emitted when the action is RET_KILL, | 571 | * Force an audit message to be emitted when the action is RET_KILL_*, |
| 570 | * RET_LOG, or the FILTER_FLAG_LOG bit was set and the action is | 572 | * RET_LOG, or the FILTER_FLAG_LOG bit was set and the action is |
| 571 | * allowed to be logged by the admin. | 573 | * allowed to be logged by the admin. |
| 572 | */ | 574 | */ |
| @@ -605,7 +607,7 @@ static void __secure_computing_strict(int this_syscall) | |||
| 605 | #ifdef SECCOMP_DEBUG | 607 | #ifdef SECCOMP_DEBUG |
| 606 | dump_stack(); | 608 | dump_stack(); |
| 607 | #endif | 609 | #endif |
| 608 | seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL, true); | 610 | seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true); |
| 609 | do_exit(SIGKILL); | 611 | do_exit(SIGKILL); |
| 610 | } | 612 | } |
| 611 | 613 | ||
| @@ -716,7 +718,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, | |||
| 716 | */ | 718 | */ |
| 717 | return 0; | 719 | return 0; |
| 718 | 720 | ||
| 719 | case SECCOMP_RET_KILL: | 721 | case SECCOMP_RET_KILL_THREAD: |
| 720 | default: | 722 | default: |
| 721 | seccomp_log(this_syscall, SIGSYS, action, true); | 723 | seccomp_log(this_syscall, SIGSYS, action, true); |
| 722 | /* Dump core only if this is the last remaining thread. */ | 724 | /* Dump core only if this is the last remaining thread. */ |
| @@ -878,7 +880,7 @@ static long seccomp_get_action_avail(const char __user *uaction) | |||
| 878 | return -EFAULT; | 880 | return -EFAULT; |
| 879 | 881 | ||
| 880 | switch (action) { | 882 | switch (action) { |
| 881 | case SECCOMP_RET_KILL: | 883 | case SECCOMP_RET_KILL_THREAD: |
| 882 | case SECCOMP_RET_TRAP: | 884 | case SECCOMP_RET_TRAP: |
| 883 | case SECCOMP_RET_ERRNO: | 885 | case SECCOMP_RET_ERRNO: |
| 884 | case SECCOMP_RET_TRACE: | 886 | case SECCOMP_RET_TRACE: |
| @@ -1029,19 +1031,20 @@ out: | |||
| 1029 | #ifdef CONFIG_SYSCTL | 1031 | #ifdef CONFIG_SYSCTL |
| 1030 | 1032 | ||
| 1031 | /* Human readable action names for friendly sysctl interaction */ | 1033 | /* Human readable action names for friendly sysctl interaction */ |
| 1032 | #define SECCOMP_RET_KILL_NAME "kill" | 1034 | #define SECCOMP_RET_KILL_THREAD_NAME "kill_thread" |
| 1033 | #define SECCOMP_RET_TRAP_NAME "trap" | 1035 | #define SECCOMP_RET_TRAP_NAME "trap" |
| 1034 | #define SECCOMP_RET_ERRNO_NAME "errno" | 1036 | #define SECCOMP_RET_ERRNO_NAME "errno" |
| 1035 | #define SECCOMP_RET_TRACE_NAME "trace" | 1037 | #define SECCOMP_RET_TRACE_NAME "trace" |
| 1036 | #define SECCOMP_RET_LOG_NAME "log" | 1038 | #define SECCOMP_RET_LOG_NAME "log" |
| 1037 | #define SECCOMP_RET_ALLOW_NAME "allow" | 1039 | #define SECCOMP_RET_ALLOW_NAME "allow" |
| 1038 | 1040 | ||
| 1039 | static const char seccomp_actions_avail[] = SECCOMP_RET_KILL_NAME " " | 1041 | static const char seccomp_actions_avail[] = |
| 1040 | SECCOMP_RET_TRAP_NAME " " | 1042 | SECCOMP_RET_KILL_THREAD_NAME " " |
| 1041 | SECCOMP_RET_ERRNO_NAME " " | 1043 | SECCOMP_RET_TRAP_NAME " " |
| 1042 | SECCOMP_RET_TRACE_NAME " " | 1044 | SECCOMP_RET_ERRNO_NAME " " |
| 1043 | SECCOMP_RET_LOG_NAME " " | 1045 | SECCOMP_RET_TRACE_NAME " " |
| 1044 | SECCOMP_RET_ALLOW_NAME; | 1046 | SECCOMP_RET_LOG_NAME " " |
| 1047 | SECCOMP_RET_ALLOW_NAME; | ||
| 1045 | 1048 | ||
| 1046 | struct seccomp_log_name { | 1049 | struct seccomp_log_name { |
| 1047 | u32 log; | 1050 | u32 log; |
| @@ -1049,7 +1052,7 @@ struct seccomp_log_name { | |||
| 1049 | }; | 1052 | }; |
| 1050 | 1053 | ||
| 1051 | static const struct seccomp_log_name seccomp_log_names[] = { | 1054 | static const struct seccomp_log_name seccomp_log_names[] = { |
| 1052 | { SECCOMP_LOG_KILL, SECCOMP_RET_KILL_NAME }, | 1055 | { SECCOMP_LOG_KILL_THREAD, SECCOMP_RET_KILL_THREAD_NAME }, |
| 1053 | { SECCOMP_LOG_TRAP, SECCOMP_RET_TRAP_NAME }, | 1056 | { SECCOMP_LOG_TRAP, SECCOMP_RET_TRAP_NAME }, |
| 1054 | { SECCOMP_LOG_ERRNO, SECCOMP_RET_ERRNO_NAME }, | 1057 | { SECCOMP_LOG_ERRNO, SECCOMP_RET_ERRNO_NAME }, |
| 1055 | { SECCOMP_LOG_TRACE, SECCOMP_RET_TRACE_NAME }, | 1058 | { SECCOMP_LOG_TRACE, SECCOMP_RET_TRACE_NAME }, |
diff --git a/samples/seccomp/bpf-direct.c b/samples/seccomp/bpf-direct.c index 151ec3f52189..235ce3c49ee9 100644 --- a/samples/seccomp/bpf-direct.c +++ b/samples/seccomp/bpf-direct.c | |||
| @@ -129,7 +129,7 @@ static int install_filter(void) | |||
| 129 | /* Check that read is only using stdin. */ | 129 | /* Check that read is only using stdin. */ |
| 130 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), | 130 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), |
| 131 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDIN_FILENO, 4, 0), | 131 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDIN_FILENO, 4, 0), |
| 132 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), | 132 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_THREAD), |
| 133 | 133 | ||
| 134 | /* Check that write is only using stdout */ | 134 | /* Check that write is only using stdout */ |
| 135 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), | 135 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), |
| @@ -139,7 +139,7 @@ static int install_filter(void) | |||
| 139 | 139 | ||
| 140 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | 140 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), |
| 141 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP), | 141 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP), |
| 142 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), | 142 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_THREAD), |
| 143 | }; | 143 | }; |
| 144 | struct sock_fprog prog = { | 144 | struct sock_fprog prog = { |
| 145 | .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), | 145 | .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), |
diff --git a/samples/seccomp/bpf-helper.h b/samples/seccomp/bpf-helper.h index 1d8de9edd858..83dbe79cbe2c 100644 --- a/samples/seccomp/bpf-helper.h +++ b/samples/seccomp/bpf-helper.h | |||
| @@ -44,7 +44,7 @@ void seccomp_bpf_print(struct sock_filter *filter, size_t count); | |||
| 44 | #define ALLOW \ | 44 | #define ALLOW \ |
| 45 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 45 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 46 | #define DENY \ | 46 | #define DENY \ |
| 47 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 47 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_THREAD) |
| 48 | #define JUMP(labels, label) \ | 48 | #define JUMP(labels, label) \ |
| 49 | BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \ | 49 | BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \ |
| 50 | JUMP_JT, JUMP_JF) | 50 | JUMP_JT, JUMP_JF) |
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 7372958eccb5..a3ba39a32449 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c | |||
| @@ -68,15 +68,18 @@ | |||
| 68 | #define SECCOMP_MODE_FILTER 2 | 68 | #define SECCOMP_MODE_FILTER 2 |
| 69 | #endif | 69 | #endif |
| 70 | 70 | ||
| 71 | #ifndef SECCOMP_RET_KILL_THREAD | ||
| 72 | #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ | ||
| 73 | #endif | ||
| 71 | #ifndef SECCOMP_RET_KILL | 74 | #ifndef SECCOMP_RET_KILL |
| 72 | #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ | 75 | #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD |
| 73 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ | 76 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ |
| 74 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ | 77 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ |
| 75 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ | 78 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ |
| 76 | #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ | 79 | #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ |
| 77 | #endif | 80 | #endif |
| 78 | #ifndef SECCOMP_RET_LOG | 81 | #ifndef SECCOMP_RET_LOG |
| 79 | #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ | 82 | #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ |
| 80 | #endif | 83 | #endif |
| 81 | 84 | ||
| 82 | #ifndef SECCOMP_RET_ACTION | 85 | #ifndef SECCOMP_RET_ACTION |
| @@ -2696,7 +2699,7 @@ TEST_SIGNAL(filter_flag_log, SIGSYS) | |||
| 2696 | 2699 | ||
| 2697 | TEST(get_action_avail) | 2700 | TEST(get_action_avail) |
| 2698 | { | 2701 | { |
| 2699 | __u32 actions[] = { SECCOMP_RET_KILL, SECCOMP_RET_TRAP, | 2702 | __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP, |
| 2700 | SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE, | 2703 | SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE, |
| 2701 | SECCOMP_RET_LOG, SECCOMP_RET_ALLOW }; | 2704 | SECCOMP_RET_LOG, SECCOMP_RET_ALLOW }; |
| 2702 | __u32 unknown_action = 0x10000000U; | 2705 | __u32 unknown_action = 0x10000000U; |