diff options
| author | Will Drewry <wad@chromium.org> | 2012-04-12 17:47:59 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-04-13 21:13:21 -0400 |
| commit | acf3b2c71ed20c53dc69826683417703c2a88059 (patch) | |
| tree | 99ced75da46a0ab7953f0c173dd885c09f570fc0 /arch/Kconfig | |
| parent | 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe (diff) | |
seccomp: add SECCOMP_RET_ERRNO
This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter. Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno. 16-bits is more than
enough for the errno-base.h calls.
Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction. For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos. This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.
This change also changes the signature of __secure_computing. It
appears the only direct caller is the arm entry code and it clobbers
any possible return value (register) immediately.
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>
v18: - fix up comments and rebase
- fix bad var name which was fixed in later revs
- remove _int() and just change the __secure_computing signature
v16-v17: ...
v15: - use audit_seccomp and add a skip label. (eparis@redhat.com)
- clean up and pad out return codes (indan@nul.nu)
v14: - no change/rebase
v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
v12: - move to WARN_ON if filter is NULL
(oleg@redhat.com, luto@mit.edu, keescook@chromium.org)
- return immediately for filter==NULL (keescook@chromium.org)
- change evaluation to only compare the ACTION so that layered
errnos don't result in the lowest one being returned.
(keeschook@chromium.org)
v11: - check for NULL filter (keescook@chromium.org)
v10: - change loaders to fn
v9: - n/a
v8: - update Kconfig to note new need for syscall_set_return_value.
- reordered such that TRAP behavior follows on later.
- made the for loop a little less indent-y
v7: - introduced
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'arch/Kconfig')
| -rw-r--r-- | arch/Kconfig | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/Kconfig b/arch/Kconfig index 91c2c730fc1a..beaab68c13b7 100644 --- a/arch/Kconfig +++ b/arch/Kconfig | |||
| @@ -220,8 +220,10 @@ config HAVE_ARCH_SECCOMP_FILTER | |||
| 220 | bool | 220 | bool |
| 221 | help | 221 | help |
| 222 | This symbol should be selected by an architecure if it provides | 222 | This symbol should be selected by an architecure if it provides |
| 223 | asm/syscall.h, specifically syscall_get_arguments() and | 223 | asm/syscall.h, specifically syscall_get_arguments(), |
| 224 | syscall_get_arch(). | 224 | syscall_get_arch(), and syscall_set_return_value(). Additionally, |
| 225 | its system call entry path must respect a return value of -1 from | ||
| 226 | __secure_computing() and/or secure_computing(). | ||
| 225 | 227 | ||
| 226 | config SECCOMP_FILTER | 228 | config SECCOMP_FILTER |
| 227 | def_bool y | 229 | def_bool y |