diff options
| author | Will Drewry <wad@chromium.org> | 2012-02-15 20:45:54 -0600 |
|---|---|---|
| committer | John Rigby <john.rigby@linaro.org> | 2012-06-20 20:25:56 -0600 |
| commit | 216c9e4d8d91d92472173f5c169cfb2f12c8ae17 (patch) | |
| tree | ab7bee48fa96316ea8cb5d618c9f751c4ebd9b0a /include | |
| parent | 31e190733882a4ea9b92a69d0204d653c0aa3edf (diff) | |
UBUNTU: SAUCE: SECCOMP: seccomp: add SECCOMP_RET_ERRNO
This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter. Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno. 16-bits is more than
enough for the errno-base.h calls.
Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction. For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos. This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.
v15: - use audit_seccomp and add a skip label. (eparis@redhat.com)
- clean up and pad out return codes (indan@nul.nu)
v14: - no change/rebase
v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
v12: - move to WARN_ON if filter is NULL
(oleg@redhat.com, luto@mit.edu, keescook@chromium.org)
- return immediately for filter==NULL (keescook@chromium.org)
- change evaluation to only compare the ACTION so that layered
errnos don't result in the lowest one being returned.
(keeschook@chromium.org)
v11: - check for NULL filter (keescook@chromium.org)
v10: - change loaders to fn
v9: - n/a
v8: - update Kconfig to note new need for syscall_set_return_value.
- reordered such that TRAP behavior follows on later.
- made the for loop a little less indent-y
v7: - introduced
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <kees@ubuntu.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/seccomp.h | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index ce980a8ee87..12bb2e31ed1 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -12,13 +12,14 @@ /* * All BPF programs must return a 32-bit value. - * The bottom 16-bits are reserved for future use. + * The bottom 16-bits are for optional return data. * The upper 16-bits are ordered from least permissive values to most. * * The ordering ensures that a min_t() over composed return values always * selects the least permissive choice. */ #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ +#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ /* Masks for the return value sections. */ @@ -64,11 +65,17 @@ struct seccomp { struct seccomp_filter *filter; }; -extern void __secure_computing(int); -static inline void secure_computing(int this_syscall) +/* + * Direct callers to __secure_computing should be updated as + * CONFIG_HAVE_ARCH_SECCOMP_FILTER propagates. + */ +extern void __secure_computing(int) __deprecated; +extern int __secure_computing_int(int); +static inline int secure_computing(int this_syscall) { if (unlikely(test_thread_flag(TIF_SECCOMP))) - __secure_computing(this_syscall); + return __secure_computing_int(this_syscall); + return 0; } extern long prctl_get_seccomp(void); |