* [PATCH 0/8] Improved seccomp-bpf support for MIPS
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Hi,
This patch improves the existing seccomp-bpf support for MIPS.
It fixes a bug when copying system call arguments for the filter
checks and it also moves away from strict filtering to actually
use the filter supplied by the userspace process.
This patchset has been tested with libseccomp
(MIPS support not upstream yet) on mips, mipsel and mips64
and with Chromium test suite (MIPS support not upstream yet)
on mipsel.
This patchset is based on the upstream-sfr/mips-for-linux-next tree.
Markos Chandras (8):
MIPS: asm: syscall: Fix copying system call arguments
MIPS: asm: syscall: Add the syscall_rollback function
MIPS: asm: syscall: Define syscall_get_arch
MIPS: asm: thread_info: Add _TIF_SECCOMP flag
MIPS: ptrace: Move away from secure_computing_strict
MIPS: kernel: scalls: Skip the syscall if denied by the seccomp filter
MIPS: seccomp: Handle indirect system calls (o32)
MIPS: Select HAVE_ARCH_SECCOMP_FILTER
arch/mips/Kconfig | 1 +
arch/mips/include/asm/ptrace.h | 2 +-
arch/mips/include/asm/syscall.h | 35 ++++++++++++++++++++++++++++++-----
arch/mips/include/asm/thread_info.h | 3 ++-
arch/mips/kernel/ptrace.c | 11 ++++++-----
arch/mips/kernel/scall32-o32.S | 15 +++++++++++++--
arch/mips/kernel/scall64-64.S | 5 ++++-
arch/mips/kernel/scall64-n32.S | 5 ++++-
arch/mips/kernel/scall64-o32.S | 17 +++++++++++++++--
9 files changed, 76 insertions(+), 18 deletions(-)
--
1.8.5.3
^ permalink raw reply [flat|nested] 21+ messages in thread
* [PATCH 1/8] MIPS: asm: syscall: Fix copying system call arguments
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
The syscall_get_arguments function expects the arguments to be copied
to the '*args' argument but instead a local variable was used to hold
the system call argument. As a result of which, this variable was
never passed to the filter and any filter testing the system call
arguments would fail. This is fixed by passing the '*args' variable
as the destination memory for the system call arguments.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index 33e8dbf..10d98b9 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -83,11 +83,10 @@ static inline void syscall_get_arguments(struct task_struct *task,
unsigned int i, unsigned int n,
unsigned long *args)
{
- unsigned long arg;
int ret;
while (n--)
- ret |= mips_get_syscall_arg(&arg, task, regs, i++);
+ ret |= mips_get_syscall_arg(args++, task, regs, i++);
/*
* No way to communicate an error because this is a void function.
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread* [PATCH 1/8] MIPS: asm: syscall: Fix copying system call arguments
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
The syscall_get_arguments function expects the arguments to be copied
to the '*args' argument but instead a local variable was used to hold
the system call argument. As a result of which, this variable was
never passed to the filter and any filter testing the system call
arguments would fail. This is fixed by passing the '*args' variable
as the destination memory for the system call arguments.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index 33e8dbf..10d98b9 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -83,11 +83,10 @@ static inline void syscall_get_arguments(struct task_struct *task,
unsigned int i, unsigned int n,
unsigned long *args)
{
- unsigned long arg;
int ret;
while (n--)
- ret |= mips_get_syscall_arg(&arg, task, regs, i++);
+ ret |= mips_get_syscall_arg(args++, task, regs, i++);
/*
* No way to communicate an error because this is a void function.
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 2/8] MIPS: asm: syscall: Add the syscall_rollback function
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
The syscall_rollback function is used by seccomp-bpf but it was never
added for MIPS. It doesn't need to do anything as none of the registers
are clobbered if the system call has been denied by the seccomp filter.
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index 10d98b9..e3e2f76 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -65,6 +65,12 @@ static inline long syscall_get_return_value(struct task_struct *task,
return regs->regs[2];
}
+static inline void syscall_rollback(struct task_struct *task,
+ struct pt_regs *regs)
+{
+ /* Do nothing */
+}
+
static inline void syscall_set_return_value(struct task_struct *task,
struct pt_regs *regs,
int error, long val)
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread* [PATCH 2/8] MIPS: asm: syscall: Add the syscall_rollback function
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
The syscall_rollback function is used by seccomp-bpf but it was never
added for MIPS. It doesn't need to do anything as none of the registers
are clobbered if the system call has been denied by the seccomp filter.
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index 10d98b9..e3e2f76 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -65,6 +65,12 @@ static inline long syscall_get_return_value(struct task_struct *task,
return regs->regs[2];
}
+static inline void syscall_rollback(struct task_struct *task,
+ struct pt_regs *regs)
+{
+ /* Do nothing */
+}
+
static inline void syscall_set_return_value(struct task_struct *task,
struct pt_regs *regs,
int error, long val)
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 3/8] MIPS: asm: syscall: Define syscall_get_arch
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
This effectively renames __syscall_get_arch to syscall_get_arch
and implements a compatible interface for the seccomp API.
The seccomp code (kernel/seccomp.c) expects a syscall_get_arch
function to be defined for every architecture, so we drop
the leading underscores from the existing function.
This also makes use of the 'task' argument to determine the type
the process instead of assuming the process has the same
characteristics as the kernel it's running on.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 6 ++++--
arch/mips/kernel/ptrace.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index e3e2f76..e7e0210 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -106,11 +106,13 @@ extern const unsigned long sys_call_table[];
extern const unsigned long sys32_call_table[];
extern const unsigned long sysn32_call_table[];
-static inline int __syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task,
+ struct pt_regs *regs)
{
int arch = EM_MIPS;
#ifdef CONFIG_64BIT
- arch |= __AUDIT_ARCH_64BIT;
+ if (!test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ arch |= __AUDIT_ARCH_64BIT;
#endif
#if defined(__LITTLE_ENDIAN)
arch |= __AUDIT_ARCH_LE;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 7da9b76..fe5af54 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -677,7 +677,7 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
trace_sys_enter(regs, regs->regs[2]);
- audit_syscall_entry(__syscall_get_arch(),
+ audit_syscall_entry(syscall_get_arch(current, regs),
regs->regs[2],
regs->regs[4], regs->regs[5],
regs->regs[6], regs->regs[7]);
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread* [PATCH 3/8] MIPS: asm: syscall: Define syscall_get_arch
@ 2014-01-22 14:39 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:39 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
This effectively renames __syscall_get_arch to syscall_get_arch
and implements a compatible interface for the seccomp API.
The seccomp code (kernel/seccomp.c) expects a syscall_get_arch
function to be defined for every architecture, so we drop
the leading underscores from the existing function.
This also makes use of the 'task' argument to determine the type
the process instead of assuming the process has the same
characteristics as the kernel it's running on.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/syscall.h | 6 ++++--
arch/mips/kernel/ptrace.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index e3e2f76..e7e0210 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -106,11 +106,13 @@ extern const unsigned long sys_call_table[];
extern const unsigned long sys32_call_table[];
extern const unsigned long sysn32_call_table[];
-static inline int __syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task,
+ struct pt_regs *regs)
{
int arch = EM_MIPS;
#ifdef CONFIG_64BIT
- arch |= __AUDIT_ARCH_64BIT;
+ if (!test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ arch |= __AUDIT_ARCH_64BIT;
#endif
#if defined(__LITTLE_ENDIAN)
arch |= __AUDIT_ARCH_LE;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 7da9b76..fe5af54 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -677,7 +677,7 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
trace_sys_enter(regs, regs->regs[2]);
- audit_syscall_entry(__syscall_get_arch(),
+ audit_syscall_entry(syscall_get_arch(current, regs),
regs->regs[2],
regs->regs[4], regs->regs[5],
regs->regs[6], regs->regs[7]);
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 4/8] MIPS: asm: thread_info: Add _TIF_SECCOMP flag
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate
that the system call needs to be checked against a seccomp filter.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/thread_info.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
index 24846f9..e80ae50 100644
--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -136,7 +136,8 @@ static inline struct thread_info *current_thread_info(void)
#define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
#define _TIF_WORK_SYSCALL_ENTRY (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
- _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
+ _TIF_SYSCALL_AUDIT | \
+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
/* work to do in syscall_trace_leave() */
#define _TIF_WORK_SYSCALL_EXIT (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 4/8] MIPS: asm: thread_info: Add _TIF_SECCOMP flag
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate
that the system call needs to be checked against a seccomp filter.
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/thread_info.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
index 24846f9..e80ae50 100644
--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -136,7 +136,8 @@ static inline struct thread_info *current_thread_info(void)
#define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
#define _TIF_WORK_SYSCALL_ENTRY (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
- _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
+ _TIF_SYSCALL_AUDIT | \
+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
/* work to do in syscall_trace_leave() */
#define _TIF_WORK_SYSCALL_EXIT (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 5/8] MIPS: ptrace: Move away from secure_computing_strict
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
MIPS now has the infrastructure for dynamic seccomp-bpf
filtering
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/ptrace.h | 2 +-
arch/mips/kernel/ptrace.c | 10 ++++++----
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h
index 7bba9da..84257df 100644
--- a/arch/mips/include/asm/ptrace.h
+++ b/arch/mips/include/asm/ptrace.h
@@ -82,7 +82,7 @@ static inline long regs_return_value(struct pt_regs *regs)
#define instruction_pointer(regs) ((regs)->cp0_epc)
#define profile_pc(regs) instruction_pointer(regs)
-extern asmlinkage void syscall_trace_enter(struct pt_regs *regs);
+extern asmlinkage long syscall_trace_enter(struct pt_regs *regs);
extern asmlinkage void syscall_trace_leave(struct pt_regs *regs);
extern void die(const char *, struct pt_regs *) __noreturn;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index fe5af54..7f9bcaa 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -662,13 +662,14 @@ long arch_ptrace(struct task_struct *child, long request,
* Notification of system call entry/exit
* - triggered by current->work.syscall_trace
*/
-asmlinkage void syscall_trace_enter(struct pt_regs *regs)
+asmlinkage long syscall_trace_enter(struct pt_regs *regs)
{
+ long syscall = regs->regs[2];
long ret = 0;
user_exit();
- /* do the secure computing check first */
- secure_computing_strict(regs->regs[2]);
+ if (secure_computing(syscall) == -1)
+ return -1;
if (test_thread_flag(TIF_SYSCALL_TRACE) &&
tracehook_report_syscall_entry(regs))
@@ -678,9 +679,10 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
trace_sys_enter(regs, regs->regs[2]);
audit_syscall_entry(syscall_get_arch(current, regs),
- regs->regs[2],
+ syscall,
regs->regs[4], regs->regs[5],
regs->regs[6], regs->regs[7]);
+ return syscall;
}
/*
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread* [PATCH 5/8] MIPS: ptrace: Move away from secure_computing_strict
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
MIPS now has the infrastructure for dynamic seccomp-bpf
filtering
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/ptrace.h | 2 +-
arch/mips/kernel/ptrace.c | 10 ++++++----
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h
index 7bba9da..84257df 100644
--- a/arch/mips/include/asm/ptrace.h
+++ b/arch/mips/include/asm/ptrace.h
@@ -82,7 +82,7 @@ static inline long regs_return_value(struct pt_regs *regs)
#define instruction_pointer(regs) ((regs)->cp0_epc)
#define profile_pc(regs) instruction_pointer(regs)
-extern asmlinkage void syscall_trace_enter(struct pt_regs *regs);
+extern asmlinkage long syscall_trace_enter(struct pt_regs *regs);
extern asmlinkage void syscall_trace_leave(struct pt_regs *regs);
extern void die(const char *, struct pt_regs *) __noreturn;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index fe5af54..7f9bcaa 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -662,13 +662,14 @@ long arch_ptrace(struct task_struct *child, long request,
* Notification of system call entry/exit
* - triggered by current->work.syscall_trace
*/
-asmlinkage void syscall_trace_enter(struct pt_regs *regs)
+asmlinkage long syscall_trace_enter(struct pt_regs *regs)
{
+ long syscall = regs->regs[2];
long ret = 0;
user_exit();
- /* do the secure computing check first */
- secure_computing_strict(regs->regs[2]);
+ if (secure_computing(syscall) == -1)
+ return -1;
if (test_thread_flag(TIF_SYSCALL_TRACE) &&
tracehook_report_syscall_entry(regs))
@@ -678,9 +679,10 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
trace_sys_enter(regs, regs->regs[2]);
audit_syscall_entry(syscall_get_arch(current, regs),
- regs->regs[2],
+ syscall,
regs->regs[4], regs->regs[5],
regs->regs[6], regs->regs[7]);
+ return syscall;
}
/*
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 6/8] MIPS: kernel: scalls: Skip the syscall if denied by the seccomp filter
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/kernel/scall32-o32.S | 4 +++-
arch/mips/kernel/scall64-64.S | 4 +++-
arch/mips/kernel/scall64-n32.S | 4 +++-
arch/mips/kernel/scall64-o32.S | 4 +++-
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index e8e541b..ce6a1cc 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -120,6 +120,8 @@ syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
lw a0, PT_R4(sp) # Restore argument registers
@@ -138,7 +140,7 @@ syscall_trace_entry:
sw t1, PT_R0(sp) # save it for syscall restarting
1: sw v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
/* ------------------------------------------------------------------------ */
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index 57e3742..88372a1 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -82,6 +82,8 @@ syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -102,7 +104,7 @@ syscall_trace_entry:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
illegal_syscall:
/* This also isn't a 64-bit syscall, throw an error. */
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index 2f48f59..d79d880 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -74,6 +74,8 @@ n32_syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -94,7 +96,7 @@ n32_syscall_trace_entry:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
not_n32_scall:
/* This is not an n32 compatibility syscall, pass it on to
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index f1acdb4..375a72b 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -114,6 +114,8 @@ trace_a_syscall:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -136,7 +138,7 @@ trace_a_syscall:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
/* ------------------------------------------------------------------------ */
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 6/8] MIPS: kernel: scalls: Skip the syscall if denied by the seccomp filter
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/kernel/scall32-o32.S | 4 +++-
arch/mips/kernel/scall64-64.S | 4 +++-
arch/mips/kernel/scall64-n32.S | 4 +++-
arch/mips/kernel/scall64-o32.S | 4 +++-
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index e8e541b..ce6a1cc 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -120,6 +120,8 @@ syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
lw a0, PT_R4(sp) # Restore argument registers
@@ -138,7 +140,7 @@ syscall_trace_entry:
sw t1, PT_R0(sp) # save it for syscall restarting
1: sw v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
/* ------------------------------------------------------------------------ */
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index 57e3742..88372a1 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -82,6 +82,8 @@ syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -102,7 +104,7 @@ syscall_trace_entry:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
illegal_syscall:
/* This also isn't a 64-bit syscall, throw an error. */
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index 2f48f59..d79d880 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -74,6 +74,8 @@ n32_syscall_trace_entry:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -94,7 +96,7 @@ n32_syscall_trace_entry:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
not_n32_scall:
/* This is not an n32 compatibility syscall, pass it on to
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index f1acdb4..375a72b 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -114,6 +114,8 @@ trace_a_syscall:
move a0, sp
jal syscall_trace_enter
+ bltz v0, 2f # seccomp failed? Skip syscall
+
move t0, s0
RESTORE_STATIC
ld a0, PT_R4(sp) # Restore argument registers
@@ -136,7 +138,7 @@ trace_a_syscall:
sd t1, PT_R0(sp) # save it for syscall restarting
1: sd v0, PT_R2(sp) # result
- j syscall_exit
+2: j syscall_exit
/* ------------------------------------------------------------------------ */
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 7/8] MIPS: seccomp: Handle indirect system calls (o32)
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
When userland uses syscall() to perform an indirect system call
the actually system call that needs to be checked by the filter
is on the first argument. The kernel code needs to handle this case
by looking at the original syscall number in v0 and if it's
NR_syscall, then it needs to examine the first argument to
identify the real system call that will be executed.
Similarly, we need to 'virtually' shift the syscall() arguments
so the syscall_get_arguments() function can fetch the correct
arguments for the indirect system call.
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/ptrace.h | 2 +-
arch/mips/include/asm/syscall.h | 20 +++++++++++++++++++-
arch/mips/kernel/ptrace.c | 3 +--
arch/mips/kernel/scall32-o32.S | 11 ++++++++++-
arch/mips/kernel/scall64-64.S | 1 +
arch/mips/kernel/scall64-n32.S | 1 +
arch/mips/kernel/scall64-o32.S | 13 ++++++++++++-
7 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h
index 84257df..bf1ac8d3 100644
--- a/arch/mips/include/asm/ptrace.h
+++ b/arch/mips/include/asm/ptrace.h
@@ -82,7 +82,7 @@ static inline long regs_return_value(struct pt_regs *regs)
#define instruction_pointer(regs) ((regs)->cp0_epc)
#define profile_pc(regs) instruction_pointer(regs)
-extern asmlinkage long syscall_trace_enter(struct pt_regs *regs);
+extern asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall);
extern asmlinkage void syscall_trace_leave(struct pt_regs *regs);
extern void die(const char *, struct pt_regs *) __noreturn;
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index e7e0210..3073978 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -19,11 +19,22 @@
#include <linux/sched.h>
#include <linux/uaccess.h>
#include <asm/ptrace.h>
+#include <asm/unistd.h>
+
+#ifndef __NR_syscall /* Only defined if _MIPS_SIM == _MIPS_SIM_ABI32 */
+#define __NR_syscall 4000
+#endif
static inline long syscall_get_nr(struct task_struct *task,
struct pt_regs *regs)
{
- return regs->regs[2];
+ /* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
+ if ((config_enabled(CONFIG_32BIT) ||
+ test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
+ (regs->regs[2] == __NR_syscall))
+ return regs->regs[4];
+ else
+ return regs->regs[2];
}
static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
@@ -90,6 +101,13 @@ static inline void syscall_get_arguments(struct task_struct *task,
unsigned long *args)
{
int ret;
+ /* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
+ if ((config_enabled(CONFIG_32BIT) ||
+ test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
+ (regs->regs[2] == __NR_syscall)) {
+ i++;
+ n++;
+ }
while (n--)
ret |= mips_get_syscall_arg(args++, task, regs, i++);
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 7f9bcaa..a17a702 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -662,9 +662,8 @@ long arch_ptrace(struct task_struct *child, long request,
* Notification of system call entry/exit
* - triggered by current->work.syscall_trace
*/
-asmlinkage long syscall_trace_enter(struct pt_regs *regs)
+asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
{
- long syscall = regs->regs[2];
long ret = 0;
user_exit();
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index ce6a1cc..0b1d70e 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -118,7 +118,16 @@ syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
- jal syscall_trace_enter
+
+ /*
+ * syscall number is in v0 unless we called syscall(__NR_###)
+ * where the real syscall number is in a0
+ */
+ addiu a1, v0, __NR_O32_Linux
+ bnez v0, 1f /* __NR_syscall at offset 0 */
+ lw a1, PT_R4(sp)
+
+1: jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index 88372a1..3d59f12 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -80,6 +80,7 @@ syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
+ daddiu a1, v0, __NR_64_Linux
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index d79d880..1dd21e5 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -72,6 +72,7 @@ n32_syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
+ daddiu a1, v0, __NR_N32_Linux
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 375a72b..4405f5a 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -112,7 +112,18 @@ trace_a_syscall:
move s0, t2 # Save syscall pointer
move a0, sp
- jal syscall_trace_enter
+ /*
+ * syscall number is in v0 unless we called syscall(__NR_###)
+ * where the real syscall number is in a0
+ * note: NR_syscall is the first O32 syscall but the macro is
+ * only defined when compiling with -mabi=32 (CONFIG_32BIT)
+ * therefore __NR_O32_Linux is used (4000)
+ */
+ addiu a1, v0, __NR_O32_Linux
+ bnez v0, 1f /* __NR_syscall at offset 0 */
+ lw a1, PT_R4(sp)
+
+1: jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread* [PATCH 7/8] MIPS: seccomp: Handle indirect system calls (o32)
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
When userland uses syscall() to perform an indirect system call
the actually system call that needs to be checked by the filter
is on the first argument. The kernel code needs to handle this case
by looking at the original syscall number in v0 and if it's
NR_syscall, then it needs to examine the first argument to
identify the real system call that will be executed.
Similarly, we need to 'virtually' shift the syscall() arguments
so the syscall_get_arguments() function can fetch the correct
arguments for the indirect system call.
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/include/asm/ptrace.h | 2 +-
arch/mips/include/asm/syscall.h | 20 +++++++++++++++++++-
arch/mips/kernel/ptrace.c | 3 +--
arch/mips/kernel/scall32-o32.S | 11 ++++++++++-
arch/mips/kernel/scall64-64.S | 1 +
arch/mips/kernel/scall64-n32.S | 1 +
arch/mips/kernel/scall64-o32.S | 13 ++++++++++++-
7 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h
index 84257df..bf1ac8d3 100644
--- a/arch/mips/include/asm/ptrace.h
+++ b/arch/mips/include/asm/ptrace.h
@@ -82,7 +82,7 @@ static inline long regs_return_value(struct pt_regs *regs)
#define instruction_pointer(regs) ((regs)->cp0_epc)
#define profile_pc(regs) instruction_pointer(regs)
-extern asmlinkage long syscall_trace_enter(struct pt_regs *regs);
+extern asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall);
extern asmlinkage void syscall_trace_leave(struct pt_regs *regs);
extern void die(const char *, struct pt_regs *) __noreturn;
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index e7e0210..3073978 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -19,11 +19,22 @@
#include <linux/sched.h>
#include <linux/uaccess.h>
#include <asm/ptrace.h>
+#include <asm/unistd.h>
+
+#ifndef __NR_syscall /* Only defined if _MIPS_SIM == _MIPS_SIM_ABI32 */
+#define __NR_syscall 4000
+#endif
static inline long syscall_get_nr(struct task_struct *task,
struct pt_regs *regs)
{
- return regs->regs[2];
+ /* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
+ if ((config_enabled(CONFIG_32BIT) ||
+ test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
+ (regs->regs[2] == __NR_syscall))
+ return regs->regs[4];
+ else
+ return regs->regs[2];
}
static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
@@ -90,6 +101,13 @@ static inline void syscall_get_arguments(struct task_struct *task,
unsigned long *args)
{
int ret;
+ /* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
+ if ((config_enabled(CONFIG_32BIT) ||
+ test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
+ (regs->regs[2] == __NR_syscall)) {
+ i++;
+ n++;
+ }
while (n--)
ret |= mips_get_syscall_arg(args++, task, regs, i++);
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 7f9bcaa..a17a702 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -662,9 +662,8 @@ long arch_ptrace(struct task_struct *child, long request,
* Notification of system call entry/exit
* - triggered by current->work.syscall_trace
*/
-asmlinkage long syscall_trace_enter(struct pt_regs *regs)
+asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
{
- long syscall = regs->regs[2];
long ret = 0;
user_exit();
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index ce6a1cc..0b1d70e 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -118,7 +118,16 @@ syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
- jal syscall_trace_enter
+
+ /*
+ * syscall number is in v0 unless we called syscall(__NR_###)
+ * where the real syscall number is in a0
+ */
+ addiu a1, v0, __NR_O32_Linux
+ bnez v0, 1f /* __NR_syscall at offset 0 */
+ lw a1, PT_R4(sp)
+
+1: jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index 88372a1..3d59f12 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -80,6 +80,7 @@ syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
+ daddiu a1, v0, __NR_64_Linux
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index d79d880..1dd21e5 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -72,6 +72,7 @@ n32_syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
+ daddiu a1, v0, __NR_N32_Linux
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 375a72b..4405f5a 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -112,7 +112,18 @@ trace_a_syscall:
move s0, t2 # Save syscall pointer
move a0, sp
- jal syscall_trace_enter
+ /*
+ * syscall number is in v0 unless we called syscall(__NR_###)
+ * where the real syscall number is in a0
+ * note: NR_syscall is the first O32 syscall but the macro is
+ * only defined when compiling with -mabi=32 (CONFIG_32BIT)
+ * therefore __NR_O32_Linux is used (4000)
+ */
+ addiu a1, v0, __NR_O32_Linux
+ bnez v0, 1f /* __NR_syscall at offset 0 */
+ lw a1, PT_R4(sp)
+
+1: jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 8/8] MIPS: Select HAVE_ARCH_SECCOMP_FILTER
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index f4c78c9..f1fac99 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -9,6 +9,7 @@ config MIPS
select HAVE_PERF_EVENTS
select PERF_USE_VMALLOC
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select ARCH_HAVE_CUSTOM_GPIO_H
select HAVE_FUNCTION_TRACER
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 8/8] MIPS: Select HAVE_ARCH_SECCOMP_FILTER
@ 2014-01-22 14:40 ` Markos Chandras
0 siblings, 0 replies; 21+ messages in thread
From: Markos Chandras @ 2014-01-22 14:40 UTC (permalink / raw)
To: linux-mips; +Cc: Markos Chandras
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
arch/mips/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index f4c78c9..f1fac99 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -9,6 +9,7 @@ config MIPS
select HAVE_PERF_EVENTS
select PERF_USE_VMALLOC
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select ARCH_HAVE_CUSTOM_GPIO_H
select HAVE_FUNCTION_TRACER
--
1.8.5.3
^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [PATCH 0/8] Improved seccomp-bpf support for MIPS
2014-01-22 14:39 ` Markos Chandras
` (8 preceding siblings ...)
(?)
@ 2014-02-12 0:58 ` Paul Gortmaker
2014-02-12 9:39 ` Markos Chandras
-1 siblings, 1 reply; 21+ messages in thread
From: Paul Gortmaker @ 2014-02-12 0:58 UTC (permalink / raw)
To: Markos Chandras; +Cc: linux-mips@linux-mips.org, linux-next@vger.kernel.org
On Wed, Jan 22, 2014 at 9:39 AM, Markos Chandras
<markos.chandras@imgtec.com> wrote:
> Hi,
>
> This patch improves the existing seccomp-bpf support for MIPS.
> It fixes a bug when copying system call arguments for the filter
> checks and it also moves away from strict filtering to actually
> use the filter supplied by the userspace process.
Hi all,
It seems this causes a build fail on linux-next allmodconfig. I left
a mindless "git bisect run .." go against it and it came up with:
----------------------------
make[2]: *** [samples/seccomp/bpf-direct.o] Error 1
make[1]: *** [samples/seccomp] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [vmlinux] Error 2
5c5df77172430c6377ec3434ce62f2b14a6799fc is the first bad commit
commit 5c5df77172430c6377ec3434ce62f2b14a6799fc
Author: Markos Chandras <markos.chandras@imgtec.com>
Date: Wed Jan 22 14:40:04 2014 +0000
MIPS: Select HAVE_ARCH_SECCOMP_FILTER
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/6401/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---------------------
The original linux-next fail is at:
http://kisskb.ellerman.id.au/kisskb/buildresult/10601740/
Paul.
--
>
> This patchset has been tested with libseccomp
> (MIPS support not upstream yet) on mips, mipsel and mips64
> and with Chromium test suite (MIPS support not upstream yet)
> on mipsel.
>
> This patchset is based on the upstream-sfr/mips-for-linux-next tree.
>
> Markos Chandras (8):
> MIPS: asm: syscall: Fix copying system call arguments
> MIPS: asm: syscall: Add the syscall_rollback function
> MIPS: asm: syscall: Define syscall_get_arch
> MIPS: asm: thread_info: Add _TIF_SECCOMP flag
> MIPS: ptrace: Move away from secure_computing_strict
> MIPS: kernel: scalls: Skip the syscall if denied by the seccomp filter
> MIPS: seccomp: Handle indirect system calls (o32)
> MIPS: Select HAVE_ARCH_SECCOMP_FILTER
>
> arch/mips/Kconfig | 1 +
> arch/mips/include/asm/ptrace.h | 2 +-
> arch/mips/include/asm/syscall.h | 35 ++++++++++++++++++++++++++++++-----
> arch/mips/include/asm/thread_info.h | 3 ++-
> arch/mips/kernel/ptrace.c | 11 ++++++-----
> arch/mips/kernel/scall32-o32.S | 15 +++++++++++++--
> arch/mips/kernel/scall64-64.S | 5 ++++-
> arch/mips/kernel/scall64-n32.S | 5 ++++-
> arch/mips/kernel/scall64-o32.S | 17 +++++++++++++++--
> 9 files changed, 76 insertions(+), 18 deletions(-)
>
> --
> 1.8.5.3
>
>
>--
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH 0/8] Improved seccomp-bpf support for MIPS
2014-02-12 0:58 ` [PATCH 0/8] Improved seccomp-bpf support for MIPS Paul Gortmaker
@ 2014-02-12 9:39 ` Markos Chandras
2014-02-12 15:31 ` Paul Gortmaker
0 siblings, 1 reply; 21+ messages in thread
From: Markos Chandras @ 2014-02-12 9:39 UTC (permalink / raw)
To: Paul Gortmaker; +Cc: linux-mips@linux-mips.org, linux-next@vger.kernel.org
On 02/12/2014 12:58 AM, Paul Gortmaker wrote:
> On Wed, Jan 22, 2014 at 9:39 AM, Markos Chandras
> <markos.chandras@imgtec.com> wrote:
>> Hi,
>>
>> This patch improves the existing seccomp-bpf support for MIPS.
>> It fixes a bug when copying system call arguments for the filter
>> checks and it also moves away from strict filtering to actually
>> use the filter supplied by the userspace process.
>
> Hi all,
>
> It seems this causes a build fail on linux-next allmodconfig. I left
> a mindless "git bisect run .." go against it and it came up with:
> ----------------------------
> make[2]: *** [samples/seccomp/bpf-direct.o] Error 1
> make[1]: *** [samples/seccomp] Error 2
> make[1]: *** Waiting for unfinished jobs....
> make: *** [vmlinux] Error 2
> 5c5df77172430c6377ec3434ce62f2b14a6799fc is the first bad commit
> commit 5c5df77172430c6377ec3434ce62f2b14a6799fc
> Author: Markos Chandras <markos.chandras@imgtec.com>
> Date: Wed Jan 22 14:40:04 2014 +0000
>
> MIPS: Select HAVE_ARCH_SECCOMP_FILTER
>
> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> Reviewed-by: James Hogan <james.hogan@imgtec.com>
> Reviewed-by: Paul Burton <paul.burton@imgtec.com>
> Cc: linux-mips@linux-mips.org
> Patchwork: https://patchwork.linux-mips.org/patch/6401/
> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
> ---------------------
>
> The original linux-next fail is at:
>
> http://kisskb.ellerman.id.au/kisskb/buildresult/10601740/
>
> Paul.
Hi Paul,
I don't think this is caused by my patch. My patch just exposed it. To
my understanding, the samples/seccomp are not meant to be
cross-compiled. The tests use the host toolchain. However, when
cross-compiling for MIPS, for example, __NR_write is only defined if
1) _MIPS_SIM == _MIPS_SIM_ABI64
2) _MIPS_SIM == _MIPS_SIM_ABI32
3) _MIPS_SIM == _MIPS_SIM_NABI32
which clearly makes no sense for the x86_64 toolchain. I would propose a
fix like this in order to prevent test from being cross-compiled.
diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
index 7203e66..f3a018e 100644
--- a/samples/seccomp/Makefile
+++ b/samples/seccomp/Makefile
@@ -17,9 +17,9 @@ HOSTCFLAGS_bpf-direct.o += -I$(objtree)/usr/include
HOSTCFLAGS_bpf-direct.o += -idirafter $(objtree)/include
bpf-direct-objs := bpf-direct.o
+ifndef CROSS_COMPILE
# Try to match the kernel target.
ifndef CONFIG_64BIT
-ifndef CROSS_COMPILE
# s390 has -m31 flag to build 31 bit binaries
ifndef CONFIG_S390
@@ -36,7 +36,7 @@ HOSTLOADLIBES_bpf-direct += $(MFLAG)
HOSTLOADLIBES_bpf-fancy += $(MFLAG)
HOSTLOADLIBES_dropper += $(MFLAG)
endif
-endif
# Tell kbuild to always build the programs
always := $(hostprogs-y)
+endif
--
markos
^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [PATCH 0/8] Improved seccomp-bpf support for MIPS
2014-02-12 9:39 ` Markos Chandras
@ 2014-02-12 15:31 ` Paul Gortmaker
0 siblings, 0 replies; 21+ messages in thread
From: Paul Gortmaker @ 2014-02-12 15:31 UTC (permalink / raw)
To: Markos Chandras; +Cc: linux-mips@linux-mips.org, linux-next@vger.kernel.org
On 14-02-12 04:39 AM, Markos Chandras wrote:
> On 02/12/2014 12:58 AM, Paul Gortmaker wrote:
>> On Wed, Jan 22, 2014 at 9:39 AM, Markos Chandras
>> <markos.chandras@imgtec.com> wrote:
>>> Hi,
>>>
>>> This patch improves the existing seccomp-bpf support for MIPS.
>>> It fixes a bug when copying system call arguments for the filter
>>> checks and it also moves away from strict filtering to actually
>>> use the filter supplied by the userspace process.
>>
>> Hi all,
>>
>> It seems this causes a build fail on linux-next allmodconfig. I left
>> a mindless "git bisect run .." go against it and it came up with:
>> ----------------------------
>> make[2]: *** [samples/seccomp/bpf-direct.o] Error 1
>> make[1]: *** [samples/seccomp] Error 2
>> make[1]: *** Waiting for unfinished jobs....
>> make: *** [vmlinux] Error 2
>> 5c5df77172430c6377ec3434ce62f2b14a6799fc is the first bad commit
>> commit 5c5df77172430c6377ec3434ce62f2b14a6799fc
>> Author: Markos Chandras <markos.chandras@imgtec.com>
>> Date: Wed Jan 22 14:40:04 2014 +0000
>>
>> MIPS: Select HAVE_ARCH_SECCOMP_FILTER
>>
>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> Reviewed-by: James Hogan <james.hogan@imgtec.com>
>> Reviewed-by: Paul Burton <paul.burton@imgtec.com>
>> Cc: linux-mips@linux-mips.org
>> Patchwork: https://patchwork.linux-mips.org/patch/6401/
>> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
>> ---------------------
>>
>> The original linux-next fail is at:
>>
>> http://kisskb.ellerman.id.au/kisskb/buildresult/10601740/
>>
>> Paul.
>
> Hi Paul,
>
> I don't think this is caused by my patch. My patch just exposed it. To
Ha, well that is one and the same thing for all intents and purposes.
Would you please formalize your patch below and put it in your
queue, in advance of the patch(es) that cause/trigger the breakage?
That way we won't be introducing a build bisection failure into the
permanent git history.
Thanks,
Paul.
--
> my understanding, the samples/seccomp are not meant to be
> cross-compiled. The tests use the host toolchain. However, when
> cross-compiling for MIPS, for example, __NR_write is only defined if
>
> 1) _MIPS_SIM == _MIPS_SIM_ABI64
> 2) _MIPS_SIM == _MIPS_SIM_ABI32
> 3) _MIPS_SIM == _MIPS_SIM_NABI32
>
> which clearly makes no sense for the x86_64 toolchain. I would propose a
> fix like this in order to prevent test from being cross-compiled.
>
> diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
> index 7203e66..f3a018e 100644
> --- a/samples/seccomp/Makefile
> +++ b/samples/seccomp/Makefile
> @@ -17,9 +17,9 @@ HOSTCFLAGS_bpf-direct.o += -I$(objtree)/usr/include
> HOSTCFLAGS_bpf-direct.o += -idirafter $(objtree)/include
> bpf-direct-objs := bpf-direct.o
>
> +ifndef CROSS_COMPILE
> # Try to match the kernel target.
> ifndef CONFIG_64BIT
> -ifndef CROSS_COMPILE
>
> # s390 has -m31 flag to build 31 bit binaries
> ifndef CONFIG_S390
> @@ -36,7 +36,7 @@ HOSTLOADLIBES_bpf-direct += $(MFLAG)
> HOSTLOADLIBES_bpf-fancy += $(MFLAG)
> HOSTLOADLIBES_dropper += $(MFLAG)
> endif
> -endif
>
> # Tell kbuild to always build the programs
> always := $(hostprogs-y)
> +endif
>
>
^ permalink raw reply [flat|nested] 21+ messages in thread