From patchwork Thu Oct  2 09:46:16 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AKASHI Takahiro <takahiro.akashi@linaro.org>
X-Patchwork-Id: 38283
Return-Path: <patchwork-forward+bncBC2PLDH7WAKRBU56WSQQKGQEOML64ZI@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-ee0-f70.google.com (mail-ee0-f70.google.com [74.125.83.70])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4A5A520549
 for <linaro@patches.linaro.org>; Thu,  2 Oct 2014 09:48:04 +0000 (UTC)
Received: by mail-ee0-f70.google.com with SMTP id c13sf947580eek.1
 for <linaro@patches.linaro.org>; Thu, 02 Oct 2014 02:48:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:sender:precedence:list-id
 :x-original-sender:x-original-authentication-results:mailing-list
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=e+vw6VZ/u0F/zV5JTqI8jxfj2+JpzLFufuBkbTzcERw=;
 b=FoDYEbmaNyda01qzSzqFjH5tNOcCrB4ZTdqFvLSVF4I5kdlaV789X4w0Q8eeMYCnuG
 ngBG7wtKwrSDGLu8aqPUTiqR/4AbWUtSquUKv0eTFDNA2JfxRg3nZP9BZ+A1PVQIN7Wn
 kq8SOYOi3mkma/GQsYxpBazohd7FeMvRbHvFPdK2ek8oc/TNGMG+8OxvCHhCdpc/LKLl
 kUzh8eYIjzMG9c836j9wywER9qp7QH/pvuA0CwFWf6fuqNUvxy/yWCbo6Xbrw7BiRPmt
 7AXdqDOeqRp98iiHC3fIaJSCGFqnxs2lcg783E7ooNHugytNmkq/oYFNs7XI/UonKqo/
 wfXg==
X-Gm-Message-State: ALoCoQnRKPIRuUyLDVXEe9bRd4b5ooozctP2GAdgiMrJsNgWgZcUV9uJ84v53di5ghgN2ThOJFnr
X-Received: by 10.112.162.138 with SMTP id ya10mr199324lbb.21.1412243283373; 
 Thu, 02 Oct 2014 02:48:03 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.37.194 with SMTP id a2ls261015lak.41.gmail; Thu, 02 Oct
 2014 02:48:03 -0700 (PDT)
X-Received: by 10.112.9.234 with SMTP id d10mr23697750lbb.98.1412243283042; 
 Thu, 02 Oct 2014 02:48:03 -0700 (PDT)
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com
 [209.85.215.51]) by mx.google.com with ESMTPS id
 s1si5619428lag.123.2014.10.02.02.48.02
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 02 Oct 2014 02:48:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.51 as permitted sender) client-ip=209.85.215.51; 
Received: by mail-la0-f51.google.com with SMTP id ge10so1946734lab.24
 for <patchwork-forward@linaro.org>;
 Thu, 02 Oct 2014 02:48:02 -0700 (PDT)
X-Received: by 10.112.75.233 with SMTP id f9mr23910855lbw.102.1412243282918; 
 Thu, 02 Oct 2014 02:48:02 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.130.169 with SMTP id of9csp23655lbb;
 Thu, 2 Oct 2014 02:48:02 -0700 (PDT)
X-Received: by 10.68.87.98 with SMTP id w2mr489649pbz.163.1412243281411;
 Thu, 02 Oct 2014 02:48:01 -0700 (PDT)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id ge5si3461042pbc.3.2014.10.02.02.47.59
 for <multiple recipients>; Thu, 02 Oct 2014 02:48:01 -0700 (PDT)
Received-SPF: none (google.com: linux-kernel-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1752062AbaJBJr5 (ORCPT <rfc822;ankit.jindal@linaro.org>
 + 27 others); Thu, 2 Oct 2014 05:47:57 -0400
Received: from mail-pa0-f47.google.com ([209.85.220.47]:39726 "EHLO
 mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1750987AbaJBJry (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Thu, 2 Oct 2014 05:47:54 -0400
Received: by mail-pa0-f47.google.com with SMTP id rd3so1965438pab.20
 for <linux-kernel@vger.kernel.org>;
 Thu, 02 Oct 2014 02:47:53 -0700 (PDT)
X-Received: by 10.68.249.101 with SMTP id yt5mr2862225pbc.156.1412243273487; 
 Thu, 02 Oct 2014 02:47:53 -0700 (PDT)
Received: from localhost.localdomain (KD182249093205.au-net.ne.jp.
 [182.249.93.205])
 by mx.google.com with ESMTPSA id w7sm3013036pbs.4.2014.10.02.02.47.48
 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 02 Oct 2014 02:47:52 -0700 (PDT)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: keescook@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com
Cc: dsaxena@linaro.org, arndb@arndb.de, linux-arm-kernel@lists.infradead.org, 
 linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org,
 AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v7 6/6] arm64: add seccomp support
Date: Thu,  2 Oct 2014 18:46:16 +0900
Message-Id: <1412243176-16192-7-git-send-email-takahiro.akashi@linaro.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1412243176-16192-1-git-send-email-takahiro.akashi@linaro.org>
References: <1412243176-16192-1-git-send-email-takahiro.akashi@linaro.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: takahiro.akashi@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.51 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

secure_computing() is called first in syscall_trace_enter() so that a system
call will be aborted quickly without doing succeeding syscall tracing if
seccomp rules want to deny that system call.

On compat task, syscall numbers for system calls allowed in seccomp mode 1
are different from those on normal tasks, and so _NR_seccomp_xxx_32's need
to be redefined.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |   14 ++++++++++++++
 arch/arm64/include/asm/seccomp.h |   25 +++++++++++++++++++++++++
 arch/arm64/include/asm/unistd.h  |    3 +++
 arch/arm64/kernel/ptrace.c       |    5 +++++
 4 files changed, 47 insertions(+)
 create mode 100644 arch/arm64/include/asm/seccomp.h

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fd4e81a..d6dc436 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -34,6 +34,7 @@ config ARM64
 	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KGDB
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_C_RECORDMCOUNT
 	select HAVE_CC_STACKPROTECTOR
@@ -312,6 +313,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
 
 source "mm/Kconfig"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+	---help---
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
 config XEN_DOM0
 	def_bool y
 	depends on XEN
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32		__NR_compat_read
+#define __NR_seccomp_write_32		__NR_compat_write
+#define __NR_seccomp_exit_32		__NR_compat_exit
+#define __NR_seccomp_sigreturn_32	__NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index 6d2bf41..49c9aef 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
  * Compat syscall numbers used by the AArch64 kernel.
  */
 #define __NR_compat_restart_syscall	0
+#define __NR_compat_exit		1
+#define __NR_compat_read		3
+#define __NR_compat_write		4
 #define __NR_compat_sigreturn		119
 #define __NR_compat_rt_sigreturn	173
 
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6b11c6a..7eef857 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -27,6 +27,7 @@
 #include <linux/smp.h>
 #include <linux/ptrace.h>
 #include <linux/user.h>
+#include <linux/seccomp.h>
 #include <linux/security.h>
 #include <linux/init.h>
 #include <linux/signal.h>
@@ -1128,6 +1129,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 {
 	unsigned int orig_syscallno = regs->syscallno;
 
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing(regs->syscallno) == -1)
+		return -1;
+
 	if (test_thread_flag(TIF_SYSCALL_TRACE))
 		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);