From: Kees Cook <kees@kernel.org>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
linux-kernel@vger.kernel.org, linux-mips@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 2/4] seccomp: kill the dead code in the !CONFIG_HAVE_ARCH_SECCOMP_FILTER version of __secure_computing()
Date: Mon, 20 Jan 2025 13:54:35 -0800 [thread overview]
Message-ID: <202501201353.168E6AAC8@keescook> (raw)
In-Reply-To: <20250120134452.GA21275@redhat.com>
On Mon, Jan 20, 2025 at 02:44:52PM +0100, Oleg Nesterov wrote:
> Depending on CONFIG_HAVE_ARCH_SECCOMP_FILTER, __secure_computing(NULL)
> will crash or not, this is not consistent/safe.
Right now this never happens because there are no callers.
> Fortunately, if CONFIG_HAVE_ARCH_SECCOMP_FILTER=n, __secure_computing()
> has no callers, these architectures use secure_computing_strict().
As you say here.
> Also, after the previous change __secure_computing(sd) is always called
> with sd == NULL, so it is clear that we can remove the code which makes
> no sense.
However, after this change, if someone were to *add* a caller, it would
bypass strict mode. Instead of "return 0", it seems like it'd be better
to remove the function entirely (and maybe add a comment about calling
secure_computing_strict() directly)?
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
> ---
> include/linux/seccomp.h | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> index e45531455d3b..e01dfe57a884 100644
> --- a/include/linux/seccomp.h
> +++ b/include/linux/seccomp.h
> @@ -32,11 +32,7 @@ static inline int secure_computing(void)
> }
> #else
> extern void secure_computing_strict(int this_syscall);
> -static inline int __secure_computing(const struct seccomp_data *sd)
> -{
> - secure_computing_strict(sd->nr);
> - return 0;
> -}
> +static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
> #endif
>
> extern long prctl_get_seccomp(void);
> --
> 2.25.1.362.g51ebf55
>
--
Kees Cook
next prev parent reply other threads:[~2025-01-20 21:54 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 13:44 [PATCH 0/4] seccomp: remove the 'sd' argument from __secure_computing() Oleg Nesterov
2025-01-20 13:44 ` [PATCH 1/4] seccomp/mips: change syscall_trace_enter() to use secure_computing() Oleg Nesterov
2025-01-20 21:48 ` Kees Cook
2025-01-23 14:33 ` Thomas Bogendoerfer
2025-01-20 13:44 ` [PATCH 2/4] seccomp: kill the dead code in the !CONFIG_HAVE_ARCH_SECCOMP_FILTER version of __secure_computing() Oleg Nesterov
2025-01-20 21:54 ` Kees Cook [this message]
2025-01-21 14:30 ` Oleg Nesterov
2025-01-27 19:17 ` Kees Cook
2025-01-20 13:44 ` [PATCH 3/4] seccomp: remove the 'sd' argument from __secure_computing() Oleg Nesterov
2025-01-20 21:55 ` Kees Cook
2025-01-20 13:45 ` [PATCH 4/4] seccomp: remove the 'sd' argument from __seccomp_filter() Oleg Nesterov
2025-01-20 22:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202501201353.168E6AAC8@keescook \
--to=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@amacapital.net \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tsbogend@alpha.franken.de \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.