seccomp: add SECCOMP_RET_ERRNO

This change adds the SECCOMP_RET_ERRNO as a valid return value from a seccomp filter. Additionally, it makes the first use of the lower 16-bits for storing a filter-supplied errno. 16-bits is more than enough for the errno-base.h calls. Returning errors instead of immediately terminating processes that violate seccomp policy allow for broader use of this functionality for kernel attack surface reduction. For example, a linux container could maintain a whitelist of pre-existing system calls but drop all new ones with errnos. This would keep a logically static attack surface while providing errnos that may allow for graceful failure without the downside of do_exit() on a bad call. This change also changes the signature of __secure_computing. It appears the only direct caller is the arm entry code and it clobbers any possible return value (register) immediately. Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> v18: - fix up comments and rebase - fix bad var name which was fixed in later revs - remove _int() and just change the __secure_computing signature v16-v17: ... v15: - use audit_seccomp and add a skip label. (eparis@redhat.com) - clean up and pad out return codes (indan@nul.nu) v14: - no change/rebase v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - move to WARN_ON if filter is NULL (oleg@redhat.com, luto@mit.edu, keescook@chromium.org) - return immediately for filter==NULL (keescook@chromium.org) - change evaluation to only compare the ACTION so that layered errnos don't result in the lowest one being returned. (keeschook@chromium.org) v11: - check for NULL filter (keescook@chromium.org) v10: - change loaders to fn v9: - n/a v8: - update Kconfig to note new need for syscall_set_return_value. - reordered such that TRAP behavior follows on later. - made the for loop a little less indent-y v7: - introduced Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Will Drewry <wad@chromium.org> 2012-04-12 17:47:59 -0400
committer: James Morris <james.l.morris@oracle.com> 2012-04-13 21:13:21 -0400
commit: acf3b2c71ed20c53dc69826683417703c2a88059 (patch)
tree: 99ced75da46a0ab7953f0c173dd885c09f570fc0 /include/linux/seccomp.h
parent: 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 86bb68fc7683..b4ce2c816e06 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -12,13 +12,14 @@
 /*
 * All BPF programs must return a 32-bit value.
- * The bottom 16-bits are reserved for future use.
+ * The bottom 16-bits are for optional return data.
 * The upper 16-bits are ordered from least permissive values to most.
 *
 * The ordering ensures that a min_t() over composed return values always
 * selects the least permissive choice.
 */
 #define SECCOMP_RET_KILL        0x00000000U /* kill the task immediately */
+#define SECCOMP_RET_ERRNO       0x00050000U /* returns an errno */
 #define SECCOMP_RET_ALLOW       0x7fff0000U /* allow */
 /* Masks for the return value sections. */
@@ -64,11 +65,12 @@ struct seccomp {
        struct seccomp_filter *filter;
 };
-extern void __secure_computing(int);
+extern int __secure_computing(int);
-static inline void secure_computing(int this_syscall)
+static inline int secure_computing(int this_syscall)
 {
        if (unlikely(test_thread_flag(TIF_SECCOMP)))
-                __secure_computing(this_syscall);
+                return  __secure_computing(this_syscall);
+        return 0;
 }
 extern long prctl_get_seccomp(void);
author	Will Drewry <wad@chromium.org>	2012-04-12 17:47:59 -0400
committer	James Morris <james.l.morris@oracle.com>	2012-04-13 21:13:21 -0400
commit	acf3b2c71ed20c53dc69826683417703c2a88059 (patch)
tree	99ced75da46a0ab7953f0c173dd885c09f570fc0 /include/linux/seccomp.h
parent	3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe (diff)