From: Kees Cook <keescook@chromium.org>
To: Anton Protopopov <a.s.protopopov@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org,
Daniel Borkmann <daniel@iogearbox.net>,
bpf@vger.kernel.org
Subject: Re: [PATCH] seccomp: allow BPF_MOD ALU instructions
Date: Mon, 16 Mar 2020 14:23:59 -0700 [thread overview]
Message-ID: <202003161423.B51FDA8083@keescook> (raw)
In-Reply-To: <20200316163646.2465-1-a.s.protopopov@gmail.com>
On Mon, Mar 16, 2020 at 04:36:46PM +0000, Anton Protopopov wrote:
> The BPF_MOD ALU instructions could be utilized by seccomp classic BPF filters,
> but were missing from the explicit list of allowed calls since its introduction
> in the original e2cfabdfd075 ("seccomp: add system call filtering using BPF")
> commit. Add support for these instructions by adding them to the allowed list
> in the seccomp_check_filter function.
>
> Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
This has been suggested in the past, but was deemed ultimately redundant:
https://lore.kernel.org/lkml/201908121035.06695C79F@keescook/
Is there a strong reason it's needed?
Thanks!
-Kees
> ---
> kernel/seccomp.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index b6ea3dcb57bf..cae7561b44d4 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -206,6 +206,8 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
> case BPF_ALU | BPF_MUL | BPF_X:
> case BPF_ALU | BPF_DIV | BPF_K:
> case BPF_ALU | BPF_DIV | BPF_X:
> + case BPF_ALU | BPF_MOD | BPF_K:
> + case BPF_ALU | BPF_MOD | BPF_X:
> case BPF_ALU | BPF_AND | BPF_K:
> case BPF_ALU | BPF_AND | BPF_X:
> case BPF_ALU | BPF_OR | BPF_K:
> --
> 2.19.1
--
Kees Cook
next prev parent reply other threads:[~2020-03-16 21:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-16 16:36 [PATCH] seccomp: allow BPF_MOD ALU instructions Anton Protopopov
2020-03-16 21:23 ` Kees Cook [this message]
2020-03-16 22:17 ` Anton Protopopov
2020-03-17 20:20 ` Kees Cook
2020-03-18 1:11 ` Anton Protopopov
2020-03-18 4:06 ` Kees Cook
2020-03-18 15:23 ` Anton Protopopov
-- strict thread matches above, loose matches on Subject: below --
2019-08-09 18:26 Paul Chaignon
2019-08-11 8:58 ` Paul Chaignon
2019-08-12 17:38 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202003161423.B51FDA8083@keescook \
--to=keescook@chromium.org \
--cc=a.s.protopopov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.