[GIT PULL] seccomp updates for next

All of lore.kernel.org
 help / color / mirror / Atom feed

From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [GIT PULL] seccomp updates for next
Date: Tue, 15 Aug 2017 15:03:19 -0700	[thread overview]
Message-ID: <20170815220319.GA63342@beast> (raw)

Hi James,

Please pull these seccomp changes for next.

Thanks!

-Kees

The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:

  Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next

for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90:

  selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700)

----------------------------------------------------------------
Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors.

----------------------------------------------------------------
Kees Cook (8):
      selftests/seccomp: Add tests for basic ptrace actions
      selftests/seccomp: Add simple seccomp overhead benchmark
      selftests/seccomp: Refactor RET_ERRNO tests
      seccomp: Provide matching filter for introspection
      seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
      seccomp: Introduce SECCOMP_RET_KILL_PROCESS
      seccomp: Implement SECCOMP_RET_KILL_PROCESS action
      selftests/seccomp: Test thread vs process killing

Tyler Hicks (6):
      seccomp: Sysctl to display available actions
      seccomp: Operation for checking if an action is available
      seccomp: Sysctl to configure actions that are allowed to be logged
      seccomp: Selftest for detection of filter flag support
      seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
      seccomp: Action to log before allowing

 Documentation/networking/filter.txt                |   2 +-
 Documentation/sysctl/kernel.txt                    |   1 +
 Documentation/userspace-api/seccomp_filter.rst     |  52 +-
 include/linux/audit.h                              |   6 +-
 include/linux/seccomp.h                            |   3 +-
 include/uapi/linux/seccomp.h                       |  23 +-
 kernel/seccomp.c                                   | 321 ++++++++++-
 samples/seccomp/bpf-direct.c                       |   4 +-
 samples/seccomp/bpf-helper.h                       |   2 +-
 tools/testing/selftests/seccomp/Makefile           |  18 +-
 .../testing/selftests/seccomp/seccomp_benchmark.c  |  99 ++++
 tools/testing/selftests/seccomp/seccomp_bpf.c      | 610 +++++++++++++++++----
 12 files changed, 1009 insertions(+), 132 deletions(-)
 create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

WARNING: multiple messages have this Message-ID (diff)

From: Kees Cook <keescook@chromium.org>
To: James Morris <james.l.morris@oracle.com>
Cc: linux-kernel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Tyler Hicks <tyhicks@canonical.com>,
	linux-security-module@vger.kernel.org
Subject: [GIT PULL] seccomp updates for next
Date: Tue, 15 Aug 2017 15:03:19 -0700	[thread overview]
Message-ID: <20170815220319.GA63342@beast> (raw)

Hi James,

Please pull these seccomp changes for next.

Thanks!

-Kees

The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:

  Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-next

for you to fetch changes up to f3e1821d9e1cc3fb434d7763001791dcd6720c90:

  selftests/seccomp: Test thread vs process killing (2017-08-14 13:46:50 -0700)

----------------------------------------------------------------
Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors.

----------------------------------------------------------------
Kees Cook (8):
      selftests/seccomp: Add tests for basic ptrace actions
      selftests/seccomp: Add simple seccomp overhead benchmark
      selftests/seccomp: Refactor RET_ERRNO tests
      seccomp: Provide matching filter for introspection
      seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
      seccomp: Introduce SECCOMP_RET_KILL_PROCESS
      seccomp: Implement SECCOMP_RET_KILL_PROCESS action
      selftests/seccomp: Test thread vs process killing

Tyler Hicks (6):
      seccomp: Sysctl to display available actions
      seccomp: Operation for checking if an action is available
      seccomp: Sysctl to configure actions that are allowed to be logged
      seccomp: Selftest for detection of filter flag support
      seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
      seccomp: Action to log before allowing

 Documentation/networking/filter.txt                |   2 +-
 Documentation/sysctl/kernel.txt                    |   1 +
 Documentation/userspace-api/seccomp_filter.rst     |  52 +-
 include/linux/audit.h                              |   6 +-
 include/linux/seccomp.h                            |   3 +-
 include/uapi/linux/seccomp.h                       |  23 +-
 kernel/seccomp.c                                   | 321 ++++++++++-
 samples/seccomp/bpf-direct.c                       |   4 +-
 samples/seccomp/bpf-helper.h                       |   2 +-
 tools/testing/selftests/seccomp/Makefile           |  18 +-
 .../testing/selftests/seccomp/seccomp_benchmark.c  |  99 ++++
 tools/testing/selftests/seccomp/seccomp_bpf.c      | 610 +++++++++++++++++----
 12 files changed, 1009 insertions(+), 132 deletions(-)
 create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c

-- 
Kees Cook
Pixel Security

next             reply	other threads:[~2017-08-15 22:03 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-15 22:03 Kees Cook [this message]
2017-08-15 22:03 ` [GIT PULL] seccomp updates for next Kees Cook
2017-08-16  2:33 ` James Morris
2017-08-16  2:33   ` James Morris
  -- strict thread matches above, loose matches on Subject: below --
2018-12-12 23:16 Kees Cook
2018-12-13  0:08 ` James Morris
2017-11-29  0:38 Kees Cook
2017-11-29  0:38 ` Kees Cook
2017-11-29  1:55 ` James Morris
2017-11-29  1:55   ` James Morris
2017-06-26 17:02 Kees Cook
2017-06-26 17:02 ` Kees Cook
2017-06-27  3:27 ` James Morris
2017-06-27  3:27   ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170815220319.GA63342@beast \
    --to=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.