Merge branch 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull seccomp updates from James Morris: - Add SECCOMP_RET_USER_NOTIF - seccomp fixes for sparse warnings and s390 build (Tycho) * 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: seccomp, s390: fix build for syscall type change seccomp: fix poor type promotion samples: add an example of seccomp user trap seccomp: add a return code to trap to userspace seccomp: switch system call argument type to void * seccomp: hoist struct seccomp_data recalculation higher
author: Linus Torvalds <torvalds@linux-foundation.org> 2019-01-02 12:48:13 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-01-02 12:48:13 -0500
commit: d9a7fa67b4bfe6ce93ee9aab23ae2e7ca0763e84 (patch)
tree: ea15c22c088160107c09da1c8d380753bb0c8d21 /include
parent: f218a29c25ad8abdb961435d6b8139f462061364 (diff)
parent: 55b8cbe470d103b44104c64dbf89e5cad525d4e0 (diff)
3 files changed, 43 insertions, 8 deletions
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index e5320f6c8654..84868d37b35d 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -4,9 +4,10 @@
 #include <uapi/linux/seccomp.h>
-#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC      | \
+#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC | \
-                                         SECCOMP_FILTER_FLAG_LOG        | \
+                                         SECCOMP_FILTER_FLAG_LOG | \
-                                         SECCOMP_FILTER_FLAG_SPEC_ALLOW)
+                                         SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
+                                         SECCOMP_FILTER_FLAG_NEW_LISTENER)
 #ifdef CONFIG_SECCOMP
@@ -43,7 +44,7 @@ extern void secure_computing_strict(int this_syscall);
 #endif
 extern long prctl_get_seccomp(void);
-extern long prctl_set_seccomp(unsigned long, char __user *);
+extern long prctl_set_seccomp(unsigned long, void __user *);
 static inline int seccomp_mode(struct seccomp *s)
 {
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 251979d2e709..257cccba3062 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -898,7 +898,7 @@ asmlinkage long sys_renameat2(int olddfd, const char __user *oldname,
                              int newdfd, const char __user *newname,
                              unsigned int flags);
 asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
-                            const char __user *uargs);
+                            void __user *uargs);
 asmlinkage long sys_getrandom(char __user *buf, size_t count,
                              unsigned int flags);
 asmlinkage long sys_memfd_create(const char __user *uname_ptr, unsigned int flags);
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index 9efc0e73d50b..90734aa5aa36 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -15,11 +15,13 @@
 #define SECCOMP_SET_MODE_STRICT         0
 #define SECCOMP_SET_MODE_FILTER         1
 #define SECCOMP_GET_ACTION_AVAIL        2
+#define SECCOMP_GET_NOTIF_SIZES         3
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC       (1UL << 0)
+#define SECCOMP_FILTER_FLAG_TSYNC               (1UL << 0)
-#define SECCOMP_FILTER_FLAG_LOG         (1UL << 1)
+#define SECCOMP_FILTER_FLAG_LOG                 (1UL << 1)
-#define SECCOMP_FILTER_FLAG_SPEC_ALLOW  (1UL << 2)
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW          (1UL << 2)
+#define SECCOMP_FILTER_FLAG_NEW_LISTENER        (1UL << 3)
 /*
 * All BPF programs must return a 32-bit value.
@@ -35,6 +37,7 @@
 #define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
 #define SECCOMP_RET_TRAP         0x00030000U /* disallow and force a SIGSYS */
 #define SECCOMP_RET_ERRNO        0x00050000U /* returns an errno */
+#define SECCOMP_RET_USER_NOTIF   0x7fc00000U /* notifies userspace */
 #define SECCOMP_RET_TRACE        0x7ff00000U /* pass to a tracer or disallow */
 #define SECCOMP_RET_LOG          0x7ffc0000U /* allow after logging */
 #define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
@@ -60,4 +63,35 @@ struct seccomp_data {
        __u64 args[6];
 };
+struct seccomp_notif_sizes {
+        __u16 seccomp_notif;
+        __u16 seccomp_notif_resp;
+        __u16 seccomp_data;
+};
+struct seccomp_notif {
+        __u64 id;
+        __u32 pid;
+        __u32 flags;
+        struct seccomp_data data;
+};
+struct seccomp_notif_resp {
+        __u64 id;
+        __s64 val;
+        __s32 error;
+        __u32 flags;
+};
+#define SECCOMP_IOC_MAGIC               '!'
+#define SECCOMP_IO(nr)                  _IO(SECCOMP_IOC_MAGIC, nr)
+#define SECCOMP_IOR(nr, type)           _IOR(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOW(nr, type)           _IOW(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOWR(nr, type)          _IOWR(SECCOMP_IOC_MAGIC, nr, type)
+/* Flags for seccomp notification fd ioctl. */
+#define SECCOMP_IOCTL_NOTIF_RECV        SECCOMP_IOWR(0, struct seccomp_notif)
+#define SECCOMP_IOCTL_NOTIF_SEND        SECCOMP_IOWR(1, \
+                                                struct seccomp_notif_resp)
+#define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOR(2, __u64)
 #endif /* _UAPI_LINUX_SECCOMP_H */
author	Linus Torvalds <torvalds@linux-foundation.org>	2019-01-02 12:48:13 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-01-02 12:48:13 -0500
commit	d9a7fa67b4bfe6ce93ee9aab23ae2e7ca0763e84 (patch)
tree	ea15c22c088160107c09da1c8d380753bb0c8d21 /include
parent	f218a29c25ad8abdb961435d6b8139f462061364 (diff)
parent	55b8cbe470d103b44104c64dbf89e5cad525d4e0 (diff)