seccomp,x86,arm,mips,s390: Remove nr parameter from secure_computing

The secure_computing function took a syscall number parameter, but it only paid any attention to that parameter if seccomp mode 1 was enabled. Rather than coming up with a kludge to get the parameter to work in mode 2, just remove the parameter. To avoid churn in arches that don't have seccomp filters (and may not even support syscall_get_nr right now), this leaves the parameter in secure_computing_strict, which is now a real function. For ARM, this is a bit ugly due to the fact that ARM conditionally supports seccomp filters. Fixing that would probably only be a couple of lines of code, but it should be coordinated with the audit maintainers. This will be a slight slowdown on some arches. The right fix is to pass in all of seccomp_data instead of trying to make just the syscall nr part be fast. This is a prerequisite for making two-phase seccomp work cleanly. Cc: Russell King <linux@arm.linux.org.uk> Cc: linux-arm-kernel@lists.infradead.org Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: linux-s390@vger.kernel.org Cc: x86@kernel.org Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <keescook@chromium.org>
author: Andy Lutomirski <luto@amacapital.net> 2014-07-21 21:49:14 -0400
committer: Kees Cook <keescook@chromium.org> 2014-09-03 17:58:17 -0400
commit: a4412fc9486ec85686c6c7929e7e829f62ae377e (patch)
tree: a267720d880085452257406ecf6f672ec8cbdbf9
parent: 70c8038dd698b44daf7c8fc7e2eca142bec694c4 (diff)
7 files changed, 66 insertions, 34 deletions
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6f3f23..5e772a21ab97 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -933,8 +933,13 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
        current_thread_info()->syscall = scno;
        /* Do the secure computing check first; failures should be fast. */
-        if (secure_computing(scno) == -1)
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+        if (secure_computing() == -1)
                return -1;
+#else
+        /* XXX: remove this once OABI gets fixed */
+        secure_computing_strict(scno);
+#endif
        if (test_thread_flag(TIF_SYSCALL_TRACE))
                tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 645b3c4fcfba..f7aac5b57b4b 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -770,7 +770,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
        long ret = 0;
        user_exit();
-        if (secure_computing(syscall) == -1)
+        if (secure_computing() == -1)
                return -1;
        if (test_thread_flag(TIF_SYSCALL_TRACE) &&
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index 5dc7ad9e2fbf..bebacad48305 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -803,7 +803,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
        long ret = 0;
        /* Do the secure computing check first. */
-        if (secure_computing(regs->gprs[2])) {
+        if (secure_computing()) {
                /* seccomp failures shouldn't expose any additional code. */
                ret = -1;
                goto out;
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 678c0ada3b3c..93c182a00506 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -1471,7 +1471,7 @@ long syscall_trace_enter(struct pt_regs *regs)
                regs->flags |= X86_EFLAGS_TF;
        /* do the secure computing check first */
-        if (secure_computing(regs->orig_ax)) {
+        if (secure_computing()) {
                /* seccomp failures shouldn't expose any additional code. */
                ret = -1L;
                goto out;
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index e1e1e80fc6a6..957779f4eb40 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -216,7 +216,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
         */
        regs->orig_ax = syscall_nr;
        regs->ax = -ENOSYS;
-        tmp = secure_computing(syscall_nr);
+        tmp = secure_computing();
        if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) {
                warn_bad_vsyscall(KERN_DEBUG, regs,
                                  "seccomp tried to change syscall nr or ip");
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 5d586a45a319..aa3c040230be 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -27,19 +27,17 @@ struct seccomp {
        struct seccomp_filter *filter;
 };
-extern int __secure_computing(int);
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
-static inline int secure_computing(int this_syscall)
+extern int __secure_computing(void);
+static inline int secure_computing(void)
 {
        if (unlikely(test_thread_flag(TIF_SECCOMP)))
-                return  __secure_computing(this_syscall);
+                return  __secure_computing();
        return 0;
 }
+#else
-/* A wrapper for architectures supporting only SECCOMP_MODE_STRICT. */
+extern void secure_computing_strict(int this_syscall);
-static inline void secure_computing_strict(int this_syscall)
+#endif
-{
-        BUG_ON(secure_computing(this_syscall) != 0);
-}
 extern long prctl_get_seccomp(void);
 extern long prctl_set_seccomp(unsigned long, char __user *);
@@ -56,8 +54,11 @@ static inline int seccomp_mode(struct seccomp *s)
 struct seccomp { };
 struct seccomp_filter { };
-static inline int secure_computing(int this_syscall) { return 0; }
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+static inline int secure_computing(void) { return 0; }
+#else
 static inline void secure_computing_strict(int this_syscall) { return; }
+#endif
 static inline long prctl_get_seccomp(void)
 {
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 44eb005c6695..5e738e0dd2e9 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -23,8 +23,11 @@
 /* #define SECCOMP_DEBUG 1 */
-#ifdef CONFIG_SECCOMP_FILTER
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 #include <asm/syscall.h>
+#endif
+#ifdef CONFIG_SECCOMP_FILTER
 #include <linux/filter.h>
 #include <linux/pid.h>
 #include <linux/ptrace.h>
@@ -172,7 +175,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
 *
 * Returns valid seccomp BPF response codes.
 */
-static u32 seccomp_run_filters(int syscall)
+static u32 seccomp_run_filters(void)
 {
        struct seccomp_filter *f = ACCESS_ONCE(current->seccomp.filter);
        struct seccomp_data sd;
@@ -564,10 +567,43 @@ static int mode1_syscalls_32[] = {
 };
 #endif
-int __secure_computing(int this_syscall)
+static void __secure_computing_strict(int this_syscall)
+{
+        int *syscall_whitelist = mode1_syscalls;
+#ifdef CONFIG_COMPAT
+        if (is_compat_task())
+                syscall_whitelist = mode1_syscalls_32;
+#endif
+        do {
+                if (*syscall_whitelist == this_syscall)
+                        return;
+        } while (*++syscall_whitelist);
+#ifdef SECCOMP_DEBUG
+        dump_stack();
+#endif
+        audit_seccomp(this_syscall, SIGKILL, SECCOMP_RET_KILL);
+        do_exit(SIGKILL);
+}
+#ifndef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+void secure_computing_strict(int this_syscall)
+{
+        int mode = current->seccomp.mode;
+        if (mode == 0)
+                return;
+        else if (mode == SECCOMP_MODE_STRICT)
+                __secure_computing_strict(this_syscall);
+        else
+                BUG();
+}
+#else
+int __secure_computing(void)
 {
+        struct pt_regs *regs = task_pt_regs(current);
+        int this_syscall = syscall_get_nr(current, regs);
        int exit_sig = 0;
-        int *syscall;
        u32 ret;
        /*
@@ -578,23 +614,12 @@ int __secure_computing(int this_syscall)
        switch (current->seccomp.mode) {
        case SECCOMP_MODE_STRICT:
-                syscall = mode1_syscalls;
+                __secure_computing_strict(this_syscall);
-#ifdef CONFIG_COMPAT
+                return 0;
-                if (is_compat_task())
-                        syscall = mode1_syscalls_32;
-#endif
-                do {
-                        if (*syscall == this_syscall)
-                                return 0;
-                } while (*++syscall);
-                exit_sig = SIGKILL;
-                ret = SECCOMP_RET_KILL;
-                break;
 #ifdef CONFIG_SECCOMP_FILTER
        case SECCOMP_MODE_FILTER: {
                int data;
-                struct pt_regs *regs = task_pt_regs(current);
+                ret = seccomp_run_filters();
-                ret = seccomp_run_filters(this_syscall);
                data = ret & SECCOMP_RET_DATA;
                ret &= SECCOMP_RET_ACTION;
                switch (ret) {
@@ -652,9 +677,10 @@ int __secure_computing(int this_syscall)
 #ifdef CONFIG_SECCOMP_FILTER
 skip:
        audit_seccomp(this_syscall, exit_sig, ret);
-#endif
        return -1;
+#endif
 }
+#endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */
 long prctl_get_seccomp(void)
 {
author	Andy Lutomirski <luto@amacapital.net>	2014-07-21 21:49:14 -0400
committer	Kees Cook <keescook@chromium.org>	2014-09-03 17:58:17 -0400
commit	a4412fc9486ec85686c6c7929e7e829f62ae377e (patch)
tree	a267720d880085452257406ecf6f672ec8cbdbf9
parent	70c8038dd698b44daf7c8fc7e2eca142bec694c4 (diff)

diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 0c27ed6f3f23..5e772a21ab97 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c
@@ -933,8 +933,13 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
933	current_thread_info()->syscall = scno;	933	current_thread_info()->syscall = scno;
934		934
935	/* Do the secure computing check first; failures should be fast. */	935	/* Do the secure computing check first; failures should be fast. */
936	if (secure_computing(scno) == -1)	936	#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
		937	if (secure_computing() == -1)
937	return -1;	938	return -1;
		939	#else
		940	/* XXX: remove this once OABI gets fixed */
		941	secure_computing_strict(scno);
		942	#endif
938		943
939	if (test_thread_flag(TIF_SYSCALL_TRACE))	944	if (test_thread_flag(TIF_SYSCALL_TRACE))
940	tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);	945	tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);


diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 645b3c4fcfba..f7aac5b57b4b 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c
@@ -770,7 +770,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
770	long ret = 0;	770	long ret = 0;
771	user_exit();	771	user_exit();
772		772
773	if (secure_computing(syscall) == -1)	773	if (secure_computing() == -1)
774	return -1;	774	return -1;
775		775
776	if (test_thread_flag(TIF_SYSCALL_TRACE) &&	776	if (test_thread_flag(TIF_SYSCALL_TRACE) &&


diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 5dc7ad9e2fbf..bebacad48305 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c
@@ -803,7 +803,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
803	long ret = 0;	803	long ret = 0;
804		804
805	/* Do the secure computing check first. */	805	/* Do the secure computing check first. */
806	if (secure_computing(regs->gprs[2])) {	806	if (secure_computing()) {
807	/* seccomp failures shouldn't expose any additional code. */	807	/* seccomp failures shouldn't expose any additional code. */
808	ret = -1;	808	ret = -1;
809	goto out;	809	goto out;


diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c index 678c0ada3b3c..93c182a00506 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c
@@ -1471,7 +1471,7 @@ long syscall_trace_enter(struct pt_regs *regs)
1471	regs->flags \|= X86_EFLAGS_TF;	1471	regs->flags \|= X86_EFLAGS_TF;
1472		1472
1473	/* do the secure computing check first */	1473	/* do the secure computing check first */
1474	if (secure_computing(regs->orig_ax)) {	1474	if (secure_computing()) {
1475	/* seccomp failures shouldn't expose any additional code. */	1475	/* seccomp failures shouldn't expose any additional code. */
1476	ret = -1L;	1476	ret = -1L;
1477	goto out;	1477	goto out;


diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index e1e1e80fc6a6..957779f4eb40 100644 --- a/arch/x86/kernel/vsyscall_64.c +++ b/arch/x86/kernel/vsyscall_64.c
@@ -216,7 +216,7 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
216	*/	216	*/
217	regs->orig_ax = syscall_nr;	217	regs->orig_ax = syscall_nr;
218	regs->ax = -ENOSYS;	218	regs->ax = -ENOSYS;
219	tmp = secure_computing(syscall_nr);	219	tmp = secure_computing();
220	if ((!tmp && regs->orig_ax != syscall_nr) \|\| regs->ip != address) {	220	if ((!tmp && regs->orig_ax != syscall_nr) \|\| regs->ip != address) {
221	warn_bad_vsyscall(KERN_DEBUG, regs,	221	warn_bad_vsyscall(KERN_DEBUG, regs,
222	"seccomp tried to change syscall nr or ip");	222	"seccomp tried to change syscall nr or ip");


diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 5d586a45a319..aa3c040230be 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h
@@ -27,19 +27,17 @@ struct seccomp {
27	struct seccomp_filter *filter;	27	struct seccomp_filter *filter;
28	};	28	};
29		29
30	extern int __secure_computing(int);	30	#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
31	static inline int secure_computing(int this_syscall)	31	extern int __secure_computing(void);
		32	static inline int secure_computing(void)
32	{	33	{
33	if (unlikely(test_thread_flag(TIF_SECCOMP)))	34	if (unlikely(test_thread_flag(TIF_SECCOMP)))
34	return __secure_computing(this_syscall);	35	return __secure_computing();
35	return 0;	36	return 0;
36	}	37	}
37		38	#else
38	/* A wrapper for architectures supporting only SECCOMP_MODE_STRICT. */	39	extern void secure_computing_strict(int this_syscall);
39	static inline void secure_computing_strict(int this_syscall)	40	#endif
40	{
41	BUG_ON(secure_computing(this_syscall) != 0);
42	}
43		41
44	extern long prctl_get_seccomp(void);	42	extern long prctl_get_seccomp(void);
45	extern long prctl_set_seccomp(unsigned long, char __user *);	43	extern long prctl_set_seccomp(unsigned long, char __user *);
@@ -56,8 +54,11 @@ static inline int seccomp_mode(struct seccomp *s)
56	struct seccomp { };	54	struct seccomp { };
57	struct seccomp_filter { };	55	struct seccomp_filter { };
58		56
59	static inline int secure_computing(int this_syscall) { return 0; }	57	#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
		58	static inline int secure_computing(void) { return 0; }
		59	#else
60	static inline void secure_computing_strict(int this_syscall) { return; }	60	static inline void secure_computing_strict(int this_syscall) { return; }
		61	#endif
61		62
62	static inline long prctl_get_seccomp(void)	63	static inline long prctl_get_seccomp(void)
63	{	64	{


diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 44eb005c6695..5e738e0dd2e9 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c
@@ -23,8 +23,11 @@
23		23
24	/* #define SECCOMP_DEBUG 1 */	24	/* #define SECCOMP_DEBUG 1 */
25		25
26	#ifdef CONFIG_SECCOMP_FILTER	26	#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
27	#include <asm/syscall.h>	27	#include <asm/syscall.h>
		28	#endif
		29
		30	#ifdef CONFIG_SECCOMP_FILTER
28	#include <linux/filter.h>	31	#include <linux/filter.h>
29	#include <linux/pid.h>	32	#include <linux/pid.h>
30	#include <linux/ptrace.h>	33	#include <linux/ptrace.h>
@@ -172,7 +175,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
172	*	175	*
173	* Returns valid seccomp BPF response codes.	176	* Returns valid seccomp BPF response codes.
174	*/	177	*/
175	static u32 seccomp_run_filters(int syscall)	178	static u32 seccomp_run_filters(void)
176	{	179	{
177	struct seccomp_filter *f = ACCESS_ONCE(current->seccomp.filter);	180	struct seccomp_filter *f = ACCESS_ONCE(current->seccomp.filter);
178	struct seccomp_data sd;	181	struct seccomp_data sd;
@@ -564,10 +567,43 @@ static int mode1_syscalls_32[] = {
564	};	567	};
565	#endif	568	#endif
566		569
567	int __secure_computing(int this_syscall)	570	static void __secure_computing_strict(int this_syscall)
		571	{
		572	int *syscall_whitelist = mode1_syscalls;
		573	#ifdef CONFIG_COMPAT
		574	if (is_compat_task())
		575	syscall_whitelist = mode1_syscalls_32;
		576	#endif
		577	do {
		578	if (*syscall_whitelist == this_syscall)
		579	return;
		580	} while (*++syscall_whitelist);
		581
		582	#ifdef SECCOMP_DEBUG
		583	dump_stack();
		584	#endif
		585	audit_seccomp(this_syscall, SIGKILL, SECCOMP_RET_KILL);
		586	do_exit(SIGKILL);
		587	}
		588
		589	#ifndef CONFIG_HAVE_ARCH_SECCOMP_FILTER
		590	void secure_computing_strict(int this_syscall)
		591	{
		592	int mode = current->seccomp.mode;
		593
		594	if (mode == 0)
		595	return;
		596	else if (mode == SECCOMP_MODE_STRICT)
		597	__secure_computing_strict(this_syscall);
		598	else
		599	BUG();
		600	}
		601	#else
		602	int __secure_computing(void)
568	{	603	{
		604	struct pt_regs *regs = task_pt_regs(current);
		605	int this_syscall = syscall_get_nr(current, regs);
569	int exit_sig = 0;	606	int exit_sig = 0;
570	int *syscall;
571	u32 ret;	607	u32 ret;
572		608
573	/*	609	/*
@@ -578,23 +614,12 @@ int __secure_computing(int this_syscall)
578		614
579	switch (current->seccomp.mode) {	615	switch (current->seccomp.mode) {
580	case SECCOMP_MODE_STRICT:	616	case SECCOMP_MODE_STRICT:
581	syscall = mode1_syscalls;	617	__secure_computing_strict(this_syscall);
582	#ifdef CONFIG_COMPAT	618	return 0;
583	if (is_compat_task())
584	syscall = mode1_syscalls_32;
585	#endif
586	do {
587	if (*syscall == this_syscall)
588	return 0;
589	} while (*++syscall);
590	exit_sig = SIGKILL;
591	ret = SECCOMP_RET_KILL;
592	break;
593	#ifdef CONFIG_SECCOMP_FILTER	619	#ifdef CONFIG_SECCOMP_FILTER
594	case SECCOMP_MODE_FILTER: {	620	case SECCOMP_MODE_FILTER: {
595	int data;	621	int data;
596	struct pt_regs *regs = task_pt_regs(current);	622	ret = seccomp_run_filters();
597	ret = seccomp_run_filters(this_syscall);
598	data = ret & SECCOMP_RET_DATA;	623	data = ret & SECCOMP_RET_DATA;
599	ret &= SECCOMP_RET_ACTION;	624	ret &= SECCOMP_RET_ACTION;
600	switch (ret) {	625	switch (ret) {
@@ -652,9 +677,10 @@ int __secure_computing(int this_syscall)
652	#ifdef CONFIG_SECCOMP_FILTER	677	#ifdef CONFIG_SECCOMP_FILTER
653	skip:	678	skip:
654	audit_seccomp(this_syscall, exit_sig, ret);	679	audit_seccomp(this_syscall, exit_sig, ret);
655	#endif
656	return -1;	680	return -1;
		681	#endif
657	}	682	}
		683	#endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */
658		684
659	long prctl_get_seccomp(void)	685	long prctl_get_seccomp(void)
660	{	686	{