From patchwork Wed Nov 26 04:49:51 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AKASHI Takahiro <takahiro.akashi@linaro.org>
X-Patchwork-Id: 41519
Return-Path: <patchwork-forward+bncBC2PLDH7WAKRBRNY2WRQKGQEOMDVS2Y@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-wg0-f70.google.com (mail-wg0-f70.google.com [74.125.82.70])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 084FA25E18
 for <linaro@patches.linaro.org>; Wed, 26 Nov 2014 04:51:18 +0000 (UTC)
Received: by mail-wg0-f70.google.com with SMTP id b13sf1290205wgh.5
 for <linaro@patches.linaro.org>; Tue, 25 Nov 2014 20:51:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:sender:precedence:list-id
 :x-original-sender:x-original-authentication-results:mailing-list
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=6AZYCgriV+A55Ou9e65rGusRlyFWwmjbyW7qAqLvvOQ=;
 b=Yj5VEMAClKi2JWp2jG+po8EVtTTQbu1PwhW6t6X4BHA4BKOynSmcYe1oJunefgipA/
 iVQ8x1Mr2CAV3nKwWhcFpiuqNUUX2nqljkvpkeK7auQRTcv3GH1GTT86frTpFiDW61bP
 YNj5KAJOzxdxox6ljlTMyAXtsGUUZmC1pczPrtLwAhIrmHyBxSuOB6cYwZ+CgF8hJO2f
 24UWehlfJ9OlLW8hKipNzqEkncZd7m9BSo01fxxEe42kUwmp2suei6PqJMx7Qa4o2Ftl
 N6RvT1q9B0ZhKldKSiWVIpdSWxrDf0xgYRAuLdPdYXGXszBGVoQLEOA94a5RiY3NLqnD
 1T7Q==
X-Gm-Message-State: ALoCoQnLDLw9VREvv93vGF4iaRVqicB7RGrqMtEaNytR8rk7vYQ+KK8pn3VpNQJXWsSB4J0eRUgH
X-Received: by 10.180.98.165 with SMTP id ej5mr8053995wib.1.1416977477323;
 Tue, 25 Nov 2014 20:51:17 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.26.72 with SMTP id j8ls536094lag.105.gmail; Tue, 25 Nov
 2014 20:51:16 -0800 (PST)
X-Received: by 10.112.130.132 with SMTP id oe4mr31855891lbb.82.1416977476650; 
 Tue, 25 Nov 2014 20:51:16 -0800 (PST)
Received: from mail-la0-f43.google.com (mail-la0-f43.google.com.
 [209.85.215.43]) by mx.google.com with ESMTPS id
 xs7si3228247lbb.34.2014.11.25.20.51.16
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 25 Nov 2014 20:51:16 -0800 (PST)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.43 as permitted sender) client-ip=209.85.215.43; 
Received: by mail-la0-f43.google.com with SMTP id q1so1831827lam.30
 for <patchwork-forward@linaro.org>;
 Tue, 25 Nov 2014 20:51:16 -0800 (PST)
X-Received: by 10.152.9.7 with SMTP id v7mr31968123laa.40.1416977476561;
 Tue, 25 Nov 2014 20:51:16 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.184.201 with SMTP id ew9csp567497lbc;
 Tue, 25 Nov 2014 20:51:15 -0800 (PST)
X-Received: by 10.68.211.7 with SMTP id my7mr49759376pbc.115.1416977474830; 
 Tue, 25 Nov 2014 20:51:14 -0800 (PST)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id j15si5087889pdl.50.2014.11.25.20.51.14
 for <multiple recipients>; Tue, 25 Nov 2014 20:51:14 -0800 (PST)
Received-SPF: none (google.com: linux-kernel-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1752497AbaKZEvK (ORCPT <rfc822;takahiro.akashi@linaro.org>
 + 26 others); Tue, 25 Nov 2014 23:51:10 -0500
Received: from mail-pd0-f169.google.com ([209.85.192.169]:41043 "EHLO
 mail-pd0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1752040AbaKZEvH (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Tue, 25 Nov 2014 23:51:07 -0500
Received: by mail-pd0-f169.google.com with SMTP id fp1so2022272pdb.0
 for <linux-kernel@vger.kernel.org>;
 Tue, 25 Nov 2014 20:51:06 -0800 (PST)
X-Received: by 10.66.157.161 with SMTP id wn1mr49531369pab.40.1416977466774; 
 Tue, 25 Nov 2014 20:51:06 -0800 (PST)
Received: from localhost.localdomain (KD182249086035.au-net.ne.jp.
 [182.249.86.35]) by mx.google.com with ESMTPSA id
 yp8sm2962059pab.48.2014.11.25.20.51.01 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 25 Nov 2014 20:51:05 -0800 (PST)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: keescook@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com
Cc: dsaxena@linaro.org, arndb@arndb.de, linux-arm-kernel@lists.infradead.org, 
 linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org,
 AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v9 6/6] arm64: add seccomp support
Date: Wed, 26 Nov 2014 13:49:51 +0900
Message-Id: <1416977391-24231-7-git-send-email-takahiro.akashi@linaro.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1416977391-24231-1-git-send-email-takahiro.akashi@linaro.org>
References: <1416977391-24231-1-git-send-email-takahiro.akashi@linaro.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: takahiro.akashi@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.43 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

secure_computing() is called first in syscall_trace_enter() so that
a system call will be aborted quickly without doing succeeding syscall
tracing if seccomp rules want to deny that system call.

On compat task, syscall numbers for system calls allowed in seccomp mode 1
are different from those on normal tasks, and so _NR_seccomp_xxx_32's need
to be redefined.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |   14 ++++++++++++++
 arch/arm64/include/asm/seccomp.h |   25 +++++++++++++++++++++++++
 arch/arm64/include/asm/unistd.h  |    3 +++
 arch/arm64/kernel/ptrace.c       |    5 +++++
 4 files changed, 47 insertions(+)
 create mode 100644 arch/arm64/include/asm/seccomp.h

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 9532f8d..f495d3c 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -37,6 +37,7 @@ config ARM64
 	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KGDB
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_BPF_JIT
 	select HAVE_C_RECORDMCOUNT
@@ -345,6 +346,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
 
 source "mm/Kconfig"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+	---help---
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
 config XEN_DOM0
 	def_bool y
 	depends on XEN
diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
new file mode 100644
index 0000000..c76fac9
--- /dev/null
+++ b/arch/arm64/include/asm/seccomp.h
@@ -0,0 +1,25 @@
+/*
+ * arch/arm64/include/asm/seccomp.h
+ *
+ * Copyright (C) 2014 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _ASM_SECCOMP_H
+#define _ASM_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#ifdef CONFIG_COMPAT
+#define __NR_seccomp_read_32		__NR_compat_read
+#define __NR_seccomp_write_32		__NR_compat_write
+#define __NR_seccomp_exit_32		__NR_compat_exit
+#define __NR_seccomp_sigreturn_32	__NR_compat_rt_sigreturn
+#endif /* CONFIG_COMPAT */
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_SECCOMP_H */
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index 6d2bf41..49c9aef 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -31,6 +31,9 @@
  * Compat syscall numbers used by the AArch64 kernel.
  */
 #define __NR_compat_restart_syscall	0
+#define __NR_compat_exit		1
+#define __NR_compat_read		3
+#define __NR_compat_write		4
 #define __NR_compat_sigreturn		119
 #define __NR_compat_rt_sigreturn	173
 
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 8b98781..d894eab 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -27,6 +27,7 @@
 #include <linux/smp.h>
 #include <linux/ptrace.h>
 #include <linux/user.h>
+#include <linux/seccomp.h>
 #include <linux/security.h>
 #include <linux/init.h>
 #include <linux/signal.h>
@@ -1149,6 +1150,10 @@ static void tracehook_report_syscall(struct pt_regs *regs,
 
 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 {
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing() == -1)
+		return -1;
+
 	if (test_thread_flag(TIF_SYSCALL_TRACE))
 		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);