From patchwork Thu Aug 21 08:56:45 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 35731 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pd0-f197.google.com (mail-pd0-f197.google.com [209.85.192.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id BC62F20540 for ; Thu, 21 Aug 2014 08:58:41 +0000 (UTC) Received: by mail-pd0-f197.google.com with SMTP id y10sf71135404pdj.8 for ; Thu, 21 Aug 2014 01:58:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:sender:precedence:list-id :x-original-sender:x-original-authentication-results:mailing-list :list-post:list-help:list-archive:list-unsubscribe; bh=qX9QgCJdpC64rst2v5+UEjMEbJVHlrQuLyQO2S3C6Wk=; b=gm4DG0YL/S0YJAXK71PEfdxvJGZ2z2Ivmc7+GayiHTlhhCk1lWk1pja7rESQa2Oi1t hdUKyo04dM80k6OtFUVBIfYW7CWroHoEsRcI3RVD7GPUeJP29FtgWAAbV9FfUMH6bvd+ oagC68ULmob4jeLwQxYm3OhOLZeBxuQLzZKb6uHh52XfqGu16gPt65Jp9OlWFEtCBIBu uQ3R43KzCMY7RVztBx9Sz0hcVrsRfst1LJTvxnKEHqqQPFkM+vOEmfTe8sfv5WsC/UoU 6UmJR7fQLsWJ0nVi4Lt3R1dxXzeUDPPRuXjESWO1FHZuryEmIQYPo/1vv6hOxOetcYJA s4vQ== X-Gm-Message-State: ALoCoQkAyRRbVNlDCJ78Z9IXe8yp6m01kRkV0Ahyn8z5du+HCJD/zs5UdUlz40S29QSHFwn75wu0 X-Received: by 10.66.252.6 with SMTP id zo6mr10691001pac.40.1408611521014; Thu, 21 Aug 2014 01:58:41 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.40.134 with SMTP id x6ls624643qgx.45.gmail; Thu, 21 Aug 2014 01:58:40 -0700 (PDT) X-Received: by 10.220.190.197 with SMTP id dj5mr40866614vcb.19.1408611520889; Thu, 21 Aug 2014 01:58:40 -0700 (PDT) Received: from mail-vc0-f177.google.com (mail-vc0-f177.google.com [209.85.220.177]) by mx.google.com with ESMTPS id sr5si6111415vdc.86.2014.08.21.01.58.40 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 Aug 2014 01:58:40 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.177 as permitted sender) client-ip=209.85.220.177; Received: by mail-vc0-f177.google.com with SMTP id hy4so10173158vcb.8 for ; Thu, 21 Aug 2014 01:58:40 -0700 (PDT) X-Received: by 10.52.165.116 with SMTP id yx20mr5147254vdb.13.1408611520800; Thu, 21 Aug 2014 01:58:40 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.45.67 with SMTP id uj3csp118531vcb; Thu, 21 Aug 2014 01:58:40 -0700 (PDT) X-Received: by 10.68.134.130 with SMTP id pk2mr59522340pbb.133.1408611519965; Thu, 21 Aug 2014 01:58:39 -0700 (PDT) Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u8si17989717pdj.5.2014.08.21.01.58.38 for ; Thu, 21 Aug 2014 01:58:39 -0700 (PDT) Received-SPF: none (google.com: linux-kernel-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754172AbaHUI60 (ORCPT + 26 others); Thu, 21 Aug 2014 04:58:26 -0400 Received: from mail-pa0-f42.google.com ([209.85.220.42]:43425 "EHLO mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751971AbaHUI6U (ORCPT ); Thu, 21 Aug 2014 04:58:20 -0400 Received: by mail-pa0-f42.google.com with SMTP id lf10so14315426pab.29 for ; Thu, 21 Aug 2014 01:58:19 -0700 (PDT) X-Received: by 10.70.137.37 with SMTP id qf5mr66586616pdb.56.1408611499585; Thu, 21 Aug 2014 01:58:19 -0700 (PDT) Received: from localhost.localdomain (KD182249099030.au-net.ne.jp. [182.249.99.30]) by mx.google.com with ESMTPSA id q5sm37734708pdf.70.2014.08.21.01.58.15 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Aug 2014 01:58:18 -0700 (PDT) From: AKASHI Takahiro To: keescook@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com Cc: dsaxena@linaro.org, arndb@arndb.de, linux-arm-kernel@lists.infradead.org, linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org, AKASHI Takahiro Subject: [PATCH v6 6/6] arm64: add seccomp support Date: Thu, 21 Aug 2014 17:56:45 +0900 Message-Id: <1408611405-8943-7-git-send-email-takahiro.akashi@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1408611405-8943-1-git-send-email-takahiro.akashi@linaro.org> References: <1408611405-8943-1-git-send-email-takahiro.akashi@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: list List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: takahiro.akashi@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.177 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , secure_computing() is called first in syscall_trace_enter() so that a system call will be aborted quickly without doing succeeding syscall tracing, contrary to other cases, if seccomp rules deny that system call. On compat task, syscall numbers for system calls allowed in seccomp mode 1 are different from those on normal tasks, and so _NR_seccomp_xxx_32's need to be redefined. Signed-off-by: AKASHI Takahiro --- arch/arm64/Kconfig | 14 ++++++++++++++ arch/arm64/include/asm/ptrace.h | 1 + arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++ arch/arm64/include/asm/unistd.h | 3 +++ arch/arm64/kernel/entry.S | 2 ++ arch/arm64/kernel/ptrace.c | 5 +++++ 6 files changed, 50 insertions(+) create mode 100644 arch/arm64/include/asm/seccomp.h diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index fd4e81a..d6dc436 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -34,6 +34,7 @@ config ARM64 select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_KGDB + select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK select HAVE_C_RECORDMCOUNT select HAVE_CC_STACKPROTECTOR @@ -312,6 +313,19 @@ config ARCH_HAS_CACHE_LINE_SIZE source "mm/Kconfig" +config SECCOMP + bool "Enable seccomp to safely compute untrusted bytecode" + ---help--- + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + config XEN_DOM0 def_bool y depends on XEN diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index a58cf62..a844d06 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -71,6 +71,7 @@ * with ptrace(PTRACE_SET_SYSCALL) */ #define RET_SKIP_SYSCALL -1 +#define RET_SKIP_SYSCALL_TRACE -2 #define IS_SKIP_SYSCALL(no) ((int)(no & 0xffffffff) == -1) #ifndef __ASSEMBLY__ diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h new file mode 100644 index 0000000..c76fac9 --- /dev/null +++ b/arch/arm64/include/asm/seccomp.h @@ -0,0 +1,25 @@ +/* + * arch/arm64/include/asm/seccomp.h + * + * Copyright (C) 2014 Linaro Limited + * Author: AKASHI Takahiro + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef _ASM_SECCOMP_H +#define _ASM_SECCOMP_H + +#include + +#ifdef CONFIG_COMPAT +#define __NR_seccomp_read_32 __NR_compat_read +#define __NR_seccomp_write_32 __NR_compat_write +#define __NR_seccomp_exit_32 __NR_compat_exit +#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn +#endif /* CONFIG_COMPAT */ + +#include + +#endif /* _ASM_SECCOMP_H */ diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h index cf6ee31..7c73059 100644 --- a/arch/arm64/include/asm/unistd.h +++ b/arch/arm64/include/asm/unistd.h @@ -31,6 +31,9 @@ * Compat syscall numbers used by the AArch64 kernel. */ #define __NR_compat_restart_syscall 0 +#define __NR_compat_exit 1 +#define __NR_compat_read 3 +#define __NR_compat_write 4 #define __NR_compat_sigreturn 119 #define __NR_compat_rt_sigreturn 173 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index fdd6eae..d5eb447 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -672,6 +672,8 @@ ENDPROC(el0_svc) __sys_trace: mov x0, sp bl syscall_trace_enter + cmp w0, #RET_SKIP_SYSCALL_TRACE // skip syscall and tracing? + b.eq ret_to_user cmp w0, #RET_SKIP_SYSCALL // skip syscall? b.eq __sys_trace_return_skipped adr lr, __sys_trace_return // return address diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index c54dbcc..4287d68 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -1123,6 +1124,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) { unsigned int saved_syscallno = regs->syscallno; + /* Do the secure computing check first; failures should be fast. */ + if (secure_computing(regs->syscallno) == -1) + return RET_SKIP_SYSCALL_TRACE; + if (test_thread_flag(TIF_SYSCALL_TRACE)) tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);