2 files changed, 34 insertions, 0 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index c3391b6020e8..1dfa8a509726 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -10,6 +10,7 @@
 #include <linux/sched.h>
 /* #define SECCOMP_DEBUG 1 */
+#define NR_SECCOMP_MODES 1
 /*
 * Secure computing mode 1 allows only read/write/exit/sigreturn.
@@ -54,3 +55,28 @@ void __secure_computing(int this_syscall)
 #endif
        do_exit(SIGKILL);
 }
+long prctl_get_seccomp(void)
+{
+        return current->seccomp.mode;
+}
+long prctl_set_seccomp(unsigned long seccomp_mode)
+{
+        long ret;
+        /* can set it only once to be even more secure */
+        ret = -EPERM;
+        if (unlikely(current->seccomp.mode))
+                goto out;
+        ret = -EINVAL;
+        if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) {
+                current->seccomp.mode = seccomp_mode;
+                set_thread_flag(TIF_SECCOMP);
+                ret = 0;
+        }
+ out:
+        return ret;
+}
diff --git a/kernel/sys.c b/kernel/sys.c
index ed92e2f03342..4d141ae3e802 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -31,6 +31,7 @@
 #include <linux/cn_proc.h>
 #include <linux/getcpu.h>
 #include <linux/task_io_accounting_ops.h>
+#include <linux/seccomp.h>
 #include <linux/compat.h>
 #include <linux/syscalls.h>
@@ -2242,6 +2243,13 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
                        error = SET_ENDIAN(current, arg2);
                        break;
+                case PR_GET_SECCOMP:
+                        error = prctl_get_seccomp();
+                        break;
+                case PR_SET_SECCOMP:
+                        error = prctl_set_seccomp(arg2);
+                        break;
                default:
                        error = -EINVAL;
                        break;

diff --git a/kernel/seccomp.c b/kernel/seccomp.c index c3391b6020e8..1dfa8a509726 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c
@@ -10,6 +10,7 @@
10	#include <linux/sched.h>	10	#include <linux/sched.h>
11		11
12	/* #define SECCOMP_DEBUG 1 */	12	/* #define SECCOMP_DEBUG 1 */
		13	#define NR_SECCOMP_MODES 1
13		14
14	/*	15	/*
15	* Secure computing mode 1 allows only read/write/exit/sigreturn.	16	* Secure computing mode 1 allows only read/write/exit/sigreturn.
@@ -54,3 +55,28 @@ void __secure_computing(int this_syscall)
54	#endif	55	#endif
55	do_exit(SIGKILL);	56	do_exit(SIGKILL);
56	}	57	}
		58
		59	long prctl_get_seccomp(void)
		60	{
		61	return current->seccomp.mode;
		62	}
		63
		64	long prctl_set_seccomp(unsigned long seccomp_mode)
		65	{
		66	long ret;
		67
		68	/* can set it only once to be even more secure */
		69	ret = -EPERM;
		70	if (unlikely(current->seccomp.mode))
		71	goto out;
		72
		73	ret = -EINVAL;
		74	if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) {
		75	current->seccomp.mode = seccomp_mode;
		76	set_thread_flag(TIF_SECCOMP);
		77	ret = 0;
		78	}
		79
		80	out:
		81	return ret;
		82	}


diff --git a/kernel/sys.c b/kernel/sys.c index ed92e2f03342..4d141ae3e802 100644 --- a/kernel/sys.c +++ b/kernel/sys.c
@@ -31,6 +31,7 @@
31	#include <linux/cn_proc.h>	31	#include <linux/cn_proc.h>
32	#include <linux/getcpu.h>	32	#include <linux/getcpu.h>
33	#include <linux/task_io_accounting_ops.h>	33	#include <linux/task_io_accounting_ops.h>
		34	#include <linux/seccomp.h>
34		35
35	#include <linux/compat.h>	36	#include <linux/compat.h>
36	#include <linux/syscalls.h>	37	#include <linux/syscalls.h>
@@ -2242,6 +2243,13 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
2242	error = SET_ENDIAN(current, arg2);	2243	error = SET_ENDIAN(current, arg2);
2243	break;	2244	break;
2244		2245
		2246	case PR_GET_SECCOMP:
		2247	error = prctl_get_seccomp();
		2248	break;
		2249	case PR_SET_SECCOMP:
		2250	error = prctl_set_seccomp(arg2);
		2251	break;
		2252
2245	default:	2253	default:
2246	error = -EINVAL;	2254	error = -EINVAL;
2247	break;	2255	break;