seccomp,x86,arm,mips,s390: Remove nr parameter from secure_computing

The secure_computing function took a syscall number parameter, but it only paid any attention to that parameter if seccomp mode 1 was enabled. Rather than coming up with a kludge to get the parameter to work in mode 2, just remove the parameter. To avoid churn in arches that don't have seccomp filters (and may not even support syscall_get_nr right now), this leaves the parameter in secure_computing_strict, which is now a real function. For ARM, this is a bit ugly due to the fact that ARM conditionally supports seccomp filters. Fixing that would probably only be a couple of lines of code, but it should be coordinated with the audit maintainers. This will be a slight slowdown on some arches. The right fix is to pass in all of seccomp_data instead of trying to make just the syscall nr part be fast. This is a prerequisite for making two-phase seccomp work cleanly. Cc: Russell King <linux@arm.linux.org.uk> Cc: linux-arm-kernel@lists.infradead.org Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: linux-s390@vger.kernel.org Cc: x86@kernel.org Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <keescook@chromium.org>
author: Andy Lutomirski <luto@amacapital.net> 2014-07-21 21:49:14 -0400
committer: Kees Cook <keescook@chromium.org> 2014-09-03 17:58:17 -0400
commit: a4412fc9486ec85686c6c7929e7e829f62ae377e (patch)
tree: a267720d880085452257406ecf6f672ec8cbdbf9 /kernel
parent: 70c8038dd698b44daf7c8fc7e2eca142bec694c4 (diff)
1 files changed, 45 insertions, 19 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 44eb005c6695..5e738e0dd2e9 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -23,8 +23,11 @@
 /* #define SECCOMP_DEBUG 1 */
-#ifdef CONFIG_SECCOMP_FILTER
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 #include <asm/syscall.h>
+#endif
+#ifdef CONFIG_SECCOMP_FILTER
 #include <linux/filter.h>
 #include <linux/pid.h>
 #include <linux/ptrace.h>
@@ -172,7 +175,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
 *
 * Returns valid seccomp BPF response codes.
 */
-static u32 seccomp_run_filters(int syscall)
+static u32 seccomp_run_filters(void)
 {
        struct seccomp_filter *f = ACCESS_ONCE(current->seccomp.filter);
        struct seccomp_data sd;
@@ -564,10 +567,43 @@ static int mode1_syscalls_32[] = {
 };
 #endif
-int __secure_computing(int this_syscall)
+static void __secure_computing_strict(int this_syscall)
+{
+        int *syscall_whitelist = mode1_syscalls;
+#ifdef CONFIG_COMPAT
+        if (is_compat_task())
+                syscall_whitelist = mode1_syscalls_32;
+#endif
+        do {
+                if (*syscall_whitelist == this_syscall)
+                        return;
+        } while (*++syscall_whitelist);
+#ifdef SECCOMP_DEBUG
+        dump_stack();
+#endif
+        audit_seccomp(this_syscall, SIGKILL, SECCOMP_RET_KILL);
+        do_exit(SIGKILL);
+}
+#ifndef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+void secure_computing_strict(int this_syscall)
+{
+        int mode = current->seccomp.mode;
+        if (mode == 0)
+                return;
+        else if (mode == SECCOMP_MODE_STRICT)
+                __secure_computing_strict(this_syscall);
+        else
+                BUG();
+}
+#else
+int __secure_computing(void)
 {
+        struct pt_regs *regs = task_pt_regs(current);
+        int this_syscall = syscall_get_nr(current, regs);
        int exit_sig = 0;
-        int *syscall;
        u32 ret;
        /*
@@ -578,23 +614,12 @@ int __secure_computing(int this_syscall)
        switch (current->seccomp.mode) {
        case SECCOMP_MODE_STRICT:
-                syscall = mode1_syscalls;
+                __secure_computing_strict(this_syscall);
-#ifdef CONFIG_COMPAT
+                return 0;
-                if (is_compat_task())
-                        syscall = mode1_syscalls_32;
-#endif
-                do {
-                        if (*syscall == this_syscall)
-                                return 0;
-                } while (*++syscall);
-                exit_sig = SIGKILL;
-                ret = SECCOMP_RET_KILL;
-                break;
 #ifdef CONFIG_SECCOMP_FILTER
        case SECCOMP_MODE_FILTER: {
                int data;
-                struct pt_regs *regs = task_pt_regs(current);
+                ret = seccomp_run_filters();
-                ret = seccomp_run_filters(this_syscall);
                data = ret & SECCOMP_RET_DATA;
                ret &= SECCOMP_RET_ACTION;
                switch (ret) {
@@ -652,9 +677,10 @@ int __secure_computing(int this_syscall)
 #ifdef CONFIG_SECCOMP_FILTER
 skip:
        audit_seccomp(this_syscall, exit_sig, ret);
-#endif
        return -1;
+#endif
 }
+#endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */
 long prctl_get_seccomp(void)
 {
author	Andy Lutomirski <luto@amacapital.net>	2014-07-21 21:49:14 -0400
committer	Kees Cook <keescook@chromium.org>	2014-09-03 17:58:17 -0400
commit	a4412fc9486ec85686c6c7929e7e829f62ae377e (patch)
tree	a267720d880085452257406ecf6f672ec8cbdbf9 /kernel
parent	70c8038dd698b44daf7c8fc7e2eca142bec694c4 (diff)