aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHeiko Carstens <heiko.carstens@de.ibm.com>2009-06-12 04:26:26 -0400
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2009-06-12 04:27:31 -0400
commitbcf5cef7db869dd3b0ec55ad99641e66b2f5cf02 (patch)
tree56119ef1804f60122aba7b780768938936d180a1
parent7757591ab4a36314a258e181dbf0994415c288c2 (diff)
[S390] secure computing arch backend
Enable secure computing on s390 as well. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-rw-r--r--arch/s390/Kconfig18
-rw-r--r--arch/s390/include/asm/seccomp.h16
-rw-r--r--arch/s390/include/asm/thread_info.h10
-rw-r--r--arch/s390/kernel/entry.S5
-rw-r--r--arch/s390/kernel/entry64.S5
-rw-r--r--arch/s390/kernel/ptrace.c6
6 files changed, 51 insertions, 9 deletions
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 2eca5fe0e75b..1094787e97e5 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -567,6 +567,24 @@ bool "s390 guest support for KVM (EXPERIMENTAL)"
567 the KVM hypervisor. This will add detection for KVM as well as a 567 the KVM hypervisor. This will add detection for KVM as well as a
568 virtio transport. If KVM is detected, the virtio console will be 568 virtio transport. If KVM is detected, the virtio console will be
569 the default console. 569 the default console.
570
571config SECCOMP
572 bool "Enable seccomp to safely compute untrusted bytecode"
573 depends on PROC_FS
574 default y
575 help
576 This kernel feature is useful for number crunching applications
577 that may need to compute untrusted bytecode during their
578 execution. By using pipes or other transports made available to
579 the process as file descriptors supporting the read/write
580 syscalls, it's possible to isolate those applications in
581 their own address space using seccomp. Once seccomp is
582 enabled via /proc/<pid>/seccomp, it cannot be disabled
583 and the task is only allowed to execute a few safe syscalls
584 defined by each seccomp mode.
585
586 If unsure, say Y.
587
570endmenu 588endmenu
571 589
572source "net/Kconfig" 590source "net/Kconfig"
diff --git a/arch/s390/include/asm/seccomp.h b/arch/s390/include/asm/seccomp.h
new file mode 100644
index 000000000000..781a9cf9b002
--- /dev/null
+++ b/arch/s390/include/asm/seccomp.h
@@ -0,0 +1,16 @@
1#ifndef _ASM_S390_SECCOMP_H
2#define _ASM_S390_SECCOMP_H
3
4#include <linux/unistd.h>
5
6#define __NR_seccomp_read __NR_read
7#define __NR_seccomp_write __NR_write
8#define __NR_seccomp_exit __NR_exit
9#define __NR_seccomp_sigreturn __NR_sigreturn
10
11#define __NR_seccomp_read_32 __NR_read
12#define __NR_seccomp_write_32 __NR_write
13#define __NR_seccomp_exit_32 __NR_exit
14#define __NR_seccomp_sigreturn_32 __NR_sigreturn
15
16#endif /* _ASM_S390_SECCOMP_H */
diff --git a/arch/s390/include/asm/thread_info.h b/arch/s390/include/asm/thread_info.h
index 461f2abd2e6f..2f86653dda69 100644
--- a/arch/s390/include/asm/thread_info.h
+++ b/arch/s390/include/asm/thread_info.h
@@ -83,14 +83,15 @@ static inline struct thread_info *current_thread_info(void)
83/* 83/*
84 * thread information flags bit numbers 84 * thread information flags bit numbers
85 */ 85 */
86#define TIF_SYSCALL_TRACE 0 /* syscall trace active */
87#define TIF_NOTIFY_RESUME 1 /* callback before returning to user */ 86#define TIF_NOTIFY_RESUME 1 /* callback before returning to user */
88#define TIF_SIGPENDING 2 /* signal pending */ 87#define TIF_SIGPENDING 2 /* signal pending */
89#define TIF_NEED_RESCHED 3 /* rescheduling necessary */ 88#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
90#define TIF_RESTART_SVC 4 /* restart svc with new svc number */ 89#define TIF_RESTART_SVC 4 /* restart svc with new svc number */
91#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
92#define TIF_SINGLE_STEP 6 /* deliver sigtrap on return to user */ 90#define TIF_SINGLE_STEP 6 /* deliver sigtrap on return to user */
93#define TIF_MCCK_PENDING 7 /* machine check handling is pending */ 91#define TIF_MCCK_PENDING 7 /* machine check handling is pending */
92#define TIF_SYSCALL_TRACE 8 /* syscall trace active */
93#define TIF_SYSCALL_AUDIT 9 /* syscall auditing active */
94#define TIF_SECCOMP 10 /* secure computing */
94#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */ 95#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
95#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling 96#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling
96 TIF_NEED_RESCHED */ 97 TIF_NEED_RESCHED */
@@ -99,15 +100,16 @@ static inline struct thread_info *current_thread_info(void)
99#define TIF_RESTORE_SIGMASK 20 /* restore signal mask in do_signal() */ 100#define TIF_RESTORE_SIGMASK 20 /* restore signal mask in do_signal() */
100#define TIF_FREEZE 21 /* thread is freezing for suspend */ 101#define TIF_FREEZE 21 /* thread is freezing for suspend */
101 102
102#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
103#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) 103#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
104#define _TIF_RESTORE_SIGMASK (1<<TIF_RESTORE_SIGMASK) 104#define _TIF_RESTORE_SIGMASK (1<<TIF_RESTORE_SIGMASK)
105#define _TIF_SIGPENDING (1<<TIF_SIGPENDING) 105#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
106#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED) 106#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
107#define _TIF_RESTART_SVC (1<<TIF_RESTART_SVC) 107#define _TIF_RESTART_SVC (1<<TIF_RESTART_SVC)
108#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
109#define _TIF_SINGLE_STEP (1<<TIF_SINGLE_STEP) 108#define _TIF_SINGLE_STEP (1<<TIF_SINGLE_STEP)
110#define _TIF_MCCK_PENDING (1<<TIF_MCCK_PENDING) 109#define _TIF_MCCK_PENDING (1<<TIF_MCCK_PENDING)
110#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
111#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
112#define _TIF_SECCOMP (1<<TIF_SECCOMP)
111#define _TIF_USEDFPU (1<<TIF_USEDFPU) 113#define _TIF_USEDFPU (1<<TIF_USEDFPU)
112#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) 114#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
113#define _TIF_31BIT (1<<TIF_31BIT) 115#define _TIF_31BIT (1<<TIF_31BIT)
diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
index f3e275934213..db25cdc21e12 100644
--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -53,6 +53,7 @@ _TIF_WORK_SVC = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \
53 _TIF_MCCK_PENDING | _TIF_RESTART_SVC | _TIF_SINGLE_STEP ) 53 _TIF_MCCK_PENDING | _TIF_RESTART_SVC | _TIF_SINGLE_STEP )
54_TIF_WORK_INT = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \ 54_TIF_WORK_INT = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \
55 _TIF_MCCK_PENDING) 55 _TIF_MCCK_PENDING)
56_TIF_SYSCALL = (_TIF_SYSCALL_TRACE>>8 | _TIF_SYSCALL_AUDIT>>8 | _TIF_SECCOMP>>8)
56 57
57STACK_SHIFT = PAGE_SHIFT + THREAD_ORDER 58STACK_SHIFT = PAGE_SHIFT + THREAD_ORDER
58STACK_SIZE = 1 << STACK_SHIFT 59STACK_SIZE = 1 << STACK_SHIFT
@@ -265,7 +266,7 @@ sysc_do_restart:
265 sth %r7,SP_SVCNR(%r15) 266 sth %r7,SP_SVCNR(%r15)
266 sll %r7,2 # svc number *4 267 sll %r7,2 # svc number *4
267 l %r8,BASED(.Lsysc_table) 268 l %r8,BASED(.Lsysc_table)
268 tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) 269 tm __TI_flags+2(%r9),_TIF_SYSCALL
269 l %r8,0(%r7,%r8) # get system call addr. 270 l %r8,0(%r7,%r8) # get system call addr.
270 bnz BASED(sysc_tracesys) 271 bnz BASED(sysc_tracesys)
271 basr %r14,%r8 # call sys_xxxx 272 basr %r14,%r8 # call sys_xxxx
@@ -405,7 +406,7 @@ sysc_tracego:
405 basr %r14,%r8 # call sys_xxx 406 basr %r14,%r8 # call sys_xxx
406 st %r2,SP_R2(%r15) # store return value 407 st %r2,SP_R2(%r15) # store return value
407sysc_tracenogo: 408sysc_tracenogo:
408 tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) 409 tm __TI_flags+2(%r9),_TIF_SYSCALL
409 bz BASED(sysc_return) 410 bz BASED(sysc_return)
410 l %r1,BASED(.Ltrace_exit) 411 l %r1,BASED(.Ltrace_exit)
411 la %r2,SP_PTREGS(%r15) # load pt_regs 412 la %r2,SP_PTREGS(%r15) # load pt_regs
diff --git a/arch/s390/kernel/entry64.S b/arch/s390/kernel/entry64.S
index 84a105838e03..3cec9b504f5f 100644
--- a/arch/s390/kernel/entry64.S
+++ b/arch/s390/kernel/entry64.S
@@ -56,6 +56,7 @@ _TIF_WORK_SVC = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \
56 _TIF_MCCK_PENDING | _TIF_RESTART_SVC | _TIF_SINGLE_STEP ) 56 _TIF_MCCK_PENDING | _TIF_RESTART_SVC | _TIF_SINGLE_STEP )
57_TIF_WORK_INT = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \ 57_TIF_WORK_INT = (_TIF_SIGPENDING | _TIF_NOTIFY_RESUME | _TIF_NEED_RESCHED | \
58 _TIF_MCCK_PENDING) 58 _TIF_MCCK_PENDING)
59_TIF_SYSCALL = (_TIF_SYSCALL_TRACE>>8 | _TIF_SYSCALL_AUDIT>>8 | _TIF_SECCOMP>>8)
59 60
60#define BASED(name) name-system_call(%r13) 61#define BASED(name) name-system_call(%r13)
61 62
@@ -260,7 +261,7 @@ sysc_do_restart:
260 larl %r10,sys_call_table_emu # use 31 bit emulation system calls 261 larl %r10,sys_call_table_emu # use 31 bit emulation system calls
261sysc_noemu: 262sysc_noemu:
262#endif 263#endif
263 tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) 264 tm __TI_flags+6(%r9),_TIF_SYSCALL
264 lgf %r8,0(%r7,%r10) # load address of system call routine 265 lgf %r8,0(%r7,%r10) # load address of system call routine
265 jnz sysc_tracesys 266 jnz sysc_tracesys
266 basr %r14,%r8 # call sys_xxxx 267 basr %r14,%r8 # call sys_xxxx
@@ -391,7 +392,7 @@ sysc_tracego:
391 basr %r14,%r8 # call sys_xxx 392 basr %r14,%r8 # call sys_xxx
392 stg %r2,SP_R2(%r15) # store return value 393 stg %r2,SP_R2(%r15) # store return value
393sysc_tracenogo: 394sysc_tracenogo:
394 tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) 395 tm __TI_flags+6(%r9),_TIF_SYSCALL
395 jz sysc_return 396 jz sysc_return
396 la %r2,SP_PTREGS(%r15) # load pt_regs 397 la %r2,SP_PTREGS(%r15) # load pt_regs
397 larl %r14,sysc_return # return point is sysc_return 398 larl %r14,sysc_return # return point is sysc_return
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 99eef179e903..b6fc1ae2ffcb 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -36,7 +36,8 @@
36#include <linux/elf.h> 36#include <linux/elf.h>
37#include <linux/regset.h> 37#include <linux/regset.h>
38#include <linux/tracehook.h> 38#include <linux/tracehook.h>
39#include <linux/compat.h> 39#include <linux/seccomp.h>
40#include <asm/compat.h>
40#include <asm/segment.h> 41#include <asm/segment.h>
41#include <asm/page.h> 42#include <asm/page.h>
42#include <asm/pgtable.h> 43#include <asm/pgtable.h>
@@ -640,6 +641,9 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
640{ 641{
641 long ret; 642 long ret;
642 643
644 /* Do the secure computing check first. */
645 secure_computing(regs->gprs[2]);
646
643 /* 647 /*
644 * The sysc_tracesys code in entry.S stored the system 648 * The sysc_tracesys code in entry.S stored the system
645 * call number to gprs[2]. 649 * call number to gprs[2].