aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Mundt <lethal@linux-sh.org>2008-07-30 02:30:52 -0400
committerPaul Mundt <lethal@linux-sh.org>2008-08-01 15:39:32 -0400
commitc4637d475170ca0d99973efd07df727012db6cd1 (patch)
tree8d2f6581dfaf0ea148753845513fff3dd53ce13f
parentcec3fd3e2a7cacf37e2bd6d9fa915337245cc563 (diff)
sh: seccomp support.
This hooks up the seccomp thread flag and associated callback from the syscall tracer. Signed-off-by: Paul Mundt <lethal@linux-sh.org>
-rw-r--r--arch/sh/Kconfig17
-rw-r--r--arch/sh/include/asm/seccomp.h10
-rw-r--r--arch/sh/include/asm/thread_info.h6
-rw-r--r--arch/sh/kernel/ptrace_32.c3
-rw-r--r--arch/sh/kernel/ptrace_64.c3
5 files changed, 37 insertions, 2 deletions
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index cb992c3d6b71..0ae541107f3f 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -483,6 +483,23 @@ config CRASH_DUMP
483 483
484 For more details see Documentation/kdump/kdump.txt 484 For more details see Documentation/kdump/kdump.txt
485 485
486config SECCOMP
487 bool "Enable seccomp to safely compute untrusted bytecode"
488 depends on PROC_FS
489 default y
490 help
491 This kernel feature is useful for number crunching applications
492 that may need to compute untrusted bytecode during their
493 execution. By using pipes or other transports made available to
494 the process as file descriptors supporting the read/write
495 syscalls, it's possible to isolate those applications in
496 their own address space using seccomp. Once seccomp is
497 enabled via prctl, it cannot be disabled and the task is only
498 allowed to execute a few safe syscalls defined by each seccomp
499 mode.
500
501 If unsure, say N.
502
486config SMP 503config SMP
487 bool "Symmetric multi-processing support" 504 bool "Symmetric multi-processing support"
488 depends on SYS_SUPPORTS_SMP 505 depends on SYS_SUPPORTS_SMP
diff --git a/arch/sh/include/asm/seccomp.h b/arch/sh/include/asm/seccomp.h
new file mode 100644
index 000000000000..3280ed3802ef
--- /dev/null
+++ b/arch/sh/include/asm/seccomp.h
@@ -0,0 +1,10 @@
1#ifndef __ASM_SECCOMP_H
2
3#include <linux/unistd.h>
4
5#define __NR_seccomp_read __NR_read
6#define __NR_seccomp_write __NR_write
7#define __NR_seccomp_exit __NR_exit
8#define __NR_seccomp_sigreturn __NR_rt_sigreturn
9
10#endif /* __ASM_SECCOMP_H */
diff --git a/arch/sh/include/asm/thread_info.h b/arch/sh/include/asm/thread_info.h
index c05b1afd1324..03d1e386670c 100644
--- a/arch/sh/include/asm/thread_info.h
+++ b/arch/sh/include/asm/thread_info.h
@@ -117,7 +117,8 @@ static inline struct thread_info *current_thread_info(void)
117#define TIF_NEED_RESCHED 2 /* rescheduling necessary */ 117#define TIF_NEED_RESCHED 2 /* rescheduling necessary */
118#define TIF_RESTORE_SIGMASK 3 /* restore signal mask in do_signal() */ 118#define TIF_RESTORE_SIGMASK 3 /* restore signal mask in do_signal() */
119#define TIF_SINGLESTEP 4 /* singlestepping active */ 119#define TIF_SINGLESTEP 4 /* singlestepping active */
120#define TIF_SYSCALL_AUDIT 5 120#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
121#define TIF_SECCOMP 6 /* secure computing */
121#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */ 122#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
122#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */ 123#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */
123#define TIF_MEMDIE 18 124#define TIF_MEMDIE 18
@@ -129,6 +130,7 @@ static inline struct thread_info *current_thread_info(void)
129#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK) 130#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
130#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) 131#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
131#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) 132#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
133#define _TIF_SECCOMP (1 << TIF_SECCOMP)
132#define _TIF_USEDFPU (1 << TIF_USEDFPU) 134#define _TIF_USEDFPU (1 << TIF_USEDFPU)
133#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG) 135#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
134#define _TIF_FREEZE (1 << TIF_FREEZE) 136#define _TIF_FREEZE (1 << TIF_FREEZE)
@@ -141,7 +143,7 @@ static inline struct thread_info *current_thread_info(void)
141 143
142/* work to do in syscall trace */ 144/* work to do in syscall trace */
143#define _TIF_WORK_SYSCALL_MASK (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP | \ 145#define _TIF_WORK_SYSCALL_MASK (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP | \
144 _TIF_SYSCALL_AUDIT) 146 _TIF_SYSCALL_AUDIT | _TIF_SECCOMP)
145 147
146/* work to do on any return to u-space */ 148/* work to do on any return to u-space */
147#define _TIF_ALLWORK_MASK (_TIF_SYSCALL_TRACE | _TIF_SIGPENDING | \ 149#define _TIF_ALLWORK_MASK (_TIF_SYSCALL_TRACE | _TIF_SIGPENDING | \
diff --git a/arch/sh/kernel/ptrace_32.c b/arch/sh/kernel/ptrace_32.c
index 2bc72def5cf8..e9bd4b2aa9c2 100644
--- a/arch/sh/kernel/ptrace_32.c
+++ b/arch/sh/kernel/ptrace_32.c
@@ -20,6 +20,7 @@
20#include <linux/signal.h> 20#include <linux/signal.h>
21#include <linux/io.h> 21#include <linux/io.h>
22#include <linux/audit.h> 22#include <linux/audit.h>
23#include <linux/seccomp.h>
23#include <asm/uaccess.h> 24#include <asm/uaccess.h>
24#include <asm/pgtable.h> 25#include <asm/pgtable.h>
25#include <asm/system.h> 26#include <asm/system.h>
@@ -276,6 +277,8 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
276{ 277{
277 struct task_struct *tsk = current; 278 struct task_struct *tsk = current;
278 279
280 secure_computing(regs->regs[0]);
281
279 if (unlikely(current->audit_context) && entryexit) 282 if (unlikely(current->audit_context) && entryexit)
280 audit_syscall_exit(AUDITSC_RESULT(regs->regs[0]), 283 audit_syscall_exit(AUDITSC_RESULT(regs->regs[0]),
281 regs->regs[0]); 284 regs->regs[0]);
diff --git a/arch/sh/kernel/ptrace_64.c b/arch/sh/kernel/ptrace_64.c
index d453c47dc522..7d8776260953 100644
--- a/arch/sh/kernel/ptrace_64.c
+++ b/arch/sh/kernel/ptrace_64.c
@@ -27,6 +27,7 @@
27#include <linux/signal.h> 27#include <linux/signal.h>
28#include <linux/syscalls.h> 28#include <linux/syscalls.h>
29#include <linux/audit.h> 29#include <linux/audit.h>
30#include <linux/seccomp.h>
30#include <asm/io.h> 31#include <asm/io.h>
31#include <asm/uaccess.h> 32#include <asm/uaccess.h>
32#include <asm/pgtable.h> 33#include <asm/pgtable.h>
@@ -277,6 +278,8 @@ asmlinkage void syscall_trace(struct pt_regs *regs, int entryexit)
277{ 278{
278 struct task_struct *tsk = current; 279 struct task_struct *tsk = current;
279 280
281 secure_computing(regs->regs[9]);
282
280 if (unlikely(current->audit_context) && entryexit) 283 if (unlikely(current->audit_context) && entryexit)
281 audit_syscall_exit(AUDITSC_RESULT(regs->regs[9]), 284 audit_syscall_exit(AUDITSC_RESULT(regs->regs[9]),
282 regs->regs[9]); 285 regs->regs[9]);