diff options
| author | Kees Cook <keescook@chromium.org> | 2014-06-27 18:01:35 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2014-07-18 15:13:40 -0400 |
| commit | 3ba2530cc06eb4aee4f1f754f43d781e8a12ee09 (patch) | |
| tree | 29a898621ce07eabf881ef40123f2882d7dccc1a | |
| parent | dbd952127d11bb44a4ea30b08cc60531b6a23d71 (diff) | |
seccomp: allow mode setting across threads
This changes the mode setting helper to allow threads to change the
seccomp mode from another thread. We must maintain barriers to keep
TIF_SECCOMP synchronized with the rest of the seccomp state.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
| -rw-r--r-- | kernel/seccomp.c | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d5543e787e4e..9065d2c79c56 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -173,21 +173,24 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) | |||
| 173 | */ | 173 | */ |
| 174 | static u32 seccomp_run_filters(int syscall) | 174 | static u32 seccomp_run_filters(int syscall) |
| 175 | { | 175 | { |
| 176 | struct seccomp_filter *f; | 176 | struct seccomp_filter *f = ACCESS_ONCE(current->seccomp.filter); |
| 177 | struct seccomp_data sd; | 177 | struct seccomp_data sd; |
| 178 | u32 ret = SECCOMP_RET_ALLOW; | 178 | u32 ret = SECCOMP_RET_ALLOW; |
| 179 | 179 | ||
| 180 | /* Ensure unexpected behavior doesn't result in failing open. */ | 180 | /* Ensure unexpected behavior doesn't result in failing open. */ |
| 181 | if (WARN_ON(current->seccomp.filter == NULL)) | 181 | if (unlikely(WARN_ON(f == NULL))) |
| 182 | return SECCOMP_RET_KILL; | 182 | return SECCOMP_RET_KILL; |
| 183 | 183 | ||
| 184 | /* Make sure cross-thread synced filter points somewhere sane. */ | ||
| 185 | smp_read_barrier_depends(); | ||
| 186 | |||
| 184 | populate_seccomp_data(&sd); | 187 | populate_seccomp_data(&sd); |
| 185 | 188 | ||
| 186 | /* | 189 | /* |
| 187 | * All filters in the list are evaluated and the lowest BPF return | 190 | * All filters in the list are evaluated and the lowest BPF return |
| 188 | * value always takes priority (ignoring the DATA). | 191 | * value always takes priority (ignoring the DATA). |
| 189 | */ | 192 | */ |
| 190 | for (f = current->seccomp.filter; f; f = f->prev) { | 193 | for (; f; f = f->prev) { |
| 191 | u32 cur_ret = SK_RUN_FILTER(f->prog, (void *)&sd); | 194 | u32 cur_ret = SK_RUN_FILTER(f->prog, (void *)&sd); |
| 192 | 195 | ||
| 193 | if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION)) | 196 | if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION)) |
| @@ -207,12 +210,18 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) | |||
| 207 | return true; | 210 | return true; |
| 208 | } | 211 | } |
| 209 | 212 | ||
| 210 | static inline void seccomp_assign_mode(unsigned long seccomp_mode) | 213 | static inline void seccomp_assign_mode(struct task_struct *task, |
| 214 | unsigned long seccomp_mode) | ||
| 211 | { | 215 | { |
| 212 | BUG_ON(!spin_is_locked(¤t->sighand->siglock)); | 216 | BUG_ON(!spin_is_locked(&task->sighand->siglock)); |
| 213 | 217 | ||
| 214 | current->seccomp.mode = seccomp_mode; | 218 | task->seccomp.mode = seccomp_mode; |
| 215 | set_tsk_thread_flag(current, TIF_SECCOMP); | 219 | /* |
| 220 | * Make sure TIF_SECCOMP cannot be set before the mode (and | ||
| 221 | * filter) is set. | ||
| 222 | */ | ||
| 223 | smp_mb__before_atomic(); | ||
| 224 | set_tsk_thread_flag(task, TIF_SECCOMP); | ||
| 216 | } | 225 | } |
| 217 | 226 | ||
| 218 | #ifdef CONFIG_SECCOMP_FILTER | 227 | #ifdef CONFIG_SECCOMP_FILTER |
| @@ -435,12 +444,17 @@ static int mode1_syscalls_32[] = { | |||
| 435 | 444 | ||
| 436 | int __secure_computing(int this_syscall) | 445 | int __secure_computing(int this_syscall) |
| 437 | { | 446 | { |
| 438 | int mode = current->seccomp.mode; | ||
| 439 | int exit_sig = 0; | 447 | int exit_sig = 0; |
| 440 | int *syscall; | 448 | int *syscall; |
| 441 | u32 ret; | 449 | u32 ret; |
| 442 | 450 | ||
| 443 | switch (mode) { | 451 | /* |
| 452 | * Make sure that any changes to mode from another thread have | ||
| 453 | * been seen after TIF_SECCOMP was seen. | ||
| 454 | */ | ||
| 455 | rmb(); | ||
| 456 | |||
| 457 | switch (current->seccomp.mode) { | ||
| 444 | case SECCOMP_MODE_STRICT: | 458 | case SECCOMP_MODE_STRICT: |
| 445 | syscall = mode1_syscalls; | 459 | syscall = mode1_syscalls; |
| 446 | #ifdef CONFIG_COMPAT | 460 | #ifdef CONFIG_COMPAT |
| @@ -545,7 +559,7 @@ static long seccomp_set_mode_strict(void) | |||
| 545 | #ifdef TIF_NOTSC | 559 | #ifdef TIF_NOTSC |
| 546 | disable_TSC(); | 560 | disable_TSC(); |
| 547 | #endif | 561 | #endif |
| 548 | seccomp_assign_mode(seccomp_mode); | 562 | seccomp_assign_mode(current, seccomp_mode); |
| 549 | ret = 0; | 563 | ret = 0; |
| 550 | 564 | ||
| 551 | out: | 565 | out: |
| @@ -595,7 +609,7 @@ static long seccomp_set_mode_filter(unsigned int flags, | |||
| 595 | /* Do not free the successfully attached filter. */ | 609 | /* Do not free the successfully attached filter. */ |
| 596 | prepared = NULL; | 610 | prepared = NULL; |
| 597 | 611 | ||
| 598 | seccomp_assign_mode(seccomp_mode); | 612 | seccomp_assign_mode(current, seccomp_mode); |
| 599 | out: | 613 | out: |
| 600 | spin_unlock_irq(¤t->sighand->siglock); | 614 | spin_unlock_irq(¤t->sighand->siglock); |
| 601 | seccomp_filter_free(prepared); | 615 | seccomp_filter_free(prepared); |