From: Mike Strosaker <strosake@linux.vnet.ibm.com>
To: Bogdan Purcareata <bogdan.purcareata@freescale.com>,
benh@kernel.crashing.org, paulus@samba.org,
linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au
Cc: pmoore@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/3] powerpc: Don't force ENOSYS as error on syscall fail
Date: Tue, 17 Feb 2015 21:01:19 -0600 [thread overview]
Message-ID: <54E4007F.5080603@linux.vnet.ibm.com> (raw)
In-Reply-To: <1423815752-3013-2-git-send-email-bogdan.purcareata@freescale.com>
This patch failed to build using pseries_le_defconfig. With the change
noted below in entry_64.S, the build succeeded and seccomp mode 2 worked
correctly.
Best,
Mike Strosaker
On 02/13/2015 02:22 AM, Bogdan Purcareata wrote:
> In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
> the system call fails for other reasons than the syscall not being available.
> The seccomp filter can be configured to store a user-defined error code on
> return from a blacklisted syscall. Don't always set ENOSYS on
> do_syscall_trace_enter failure.
>
> Delegate setting ENOSYS in case of failure, where appropriate, to
> do_syscall_trace_enter.
>
> v3:
> - keep setting ENOSYS in the syscall entry assembly for scenarios without
> syscall tracing
>
> v2:
> - move setting ENOSYS as errno from the syscall entry assembly to
> do_syscall_trace_enter, only in the specific case
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> ---
> arch/powerpc/kernel/entry_32.S | 7 ++++++-
> arch/powerpc/kernel/entry_64.S | 5 +++--
> arch/powerpc/kernel/ptrace.c | 4 +++-
> 3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
> index 46fc0f4..b2f88cd 100644
> --- a/arch/powerpc/kernel/entry_32.S
> +++ b/arch/powerpc/kernel/entry_32.S
> @@ -333,12 +333,12 @@ _GLOBAL(DoSyscall)
> lwz r11,TI_FLAGS(r10)
> andi. r11,r11,_TIF_SYSCALL_DOTRACE
> bne- syscall_dotrace
> -syscall_dotrace_cont:
> cmplwi 0,r0,NR_syscalls
> lis r10,sys_call_table@h
> ori r10,r10,sys_call_table@l
> slwi r0,r0,2
> bge- 66f
> +syscall_dotrace_cont:
> lwzx r10,r10,r0 /* Fetch system call handler [ptr] */
> mtlr r10
> addi r9,r1,STACK_FRAME_OVERHEAD
> @@ -457,6 +457,11 @@ syscall_dotrace:
> lwz r7,GPR7(r1)
> lwz r8,GPR8(r1)
> REST_NVGPRS(r1)
> + cmplwi 0,r0,NR_syscalls
> + lis r10,sys_call_table@h
> + ori r10,r10,sys_call_table@l
> + slwi r0,r0,2
> + bge- ret_from_syscall
> b syscall_dotrace_cont
>
> syscall_exit_work:
> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
> index d180caf2..0d22fa8 100644
> --- a/arch/powerpc/kernel/entry_64.S
> +++ b/arch/powerpc/kernel/entry_64.S
> @@ -144,7 +144,6 @@ END_FW_FTR_SECTION_IFSET(FW_FEATURE_SPLPAR)
> ld r10,TI_FLAGS(r11)
> andi. r11,r10,_TIF_SYSCALL_DOTRACE
> bne syscall_dotrace
> -.Lsyscall_dotrace_cont:
> cmpldi 0,r0,NR_syscalls
> bge- syscall_enosys
>
> @@ -253,7 +252,9 @@ syscall_dotrace:
> addi r9,r1,STACK_FRAME_OVERHEAD
> CURRENT_THREAD_INFO(r10, r1)
> ld r10,TI_FLAGS(r10)
> - b .Lsyscall_dotrace_cont
> + cmpldi 0,r0,NR_syscalls
> + bge- syscall_exit
Shouldn't this be .Lsyscall_exit?
> + b system_call
>
> syscall_enosys:
> li r3,-ENOSYS
> diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
> index f21897b..2edae06 100644
> --- a/arch/powerpc/kernel/ptrace.c
> +++ b/arch/powerpc/kernel/ptrace.c
> @@ -1775,13 +1775,15 @@ long do_syscall_trace_enter(struct pt_regs *regs)
> secure_computing_strict(regs->gpr[0]);
>
> if (test_thread_flag(TIF_SYSCALL_TRACE) &&
> - tracehook_report_syscall_entry(regs))
> + tracehook_report_syscall_entry(regs)) {
> /*
> * Tracing decided this syscall should not happen.
> * We'll return a bogus call number to get an ENOSYS
> * error, but leave the original number in regs->gpr[0].
> */
> ret = -1L;
> + syscall_set_return_value(current, regs, ENOSYS, 0);
> + }
>
> if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
> trace_sys_enter(regs, regs->gpr[0]);
>
WARNING: multiple messages have this Message-ID (diff)
From: Mike Strosaker <strosake@linux.vnet.ibm.com>
To: Bogdan Purcareata <bogdan.purcareata@freescale.com>,
benh@kernel.crashing.org, paulus@samba.org,
linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au
Cc: linux-kernel@vger.kernel.org, pmoore@redhat.com
Subject: Re: [PATCH v3 1/3] powerpc: Don't force ENOSYS as error on syscall fail
Date: Tue, 17 Feb 2015 21:01:19 -0600 [thread overview]
Message-ID: <54E4007F.5080603@linux.vnet.ibm.com> (raw)
In-Reply-To: <1423815752-3013-2-git-send-email-bogdan.purcareata@freescale.com>
This patch failed to build using pseries_le_defconfig. With the change
noted below in entry_64.S, the build succeeded and seccomp mode 2 worked
correctly.
Best,
Mike Strosaker
On 02/13/2015 02:22 AM, Bogdan Purcareata wrote:
> In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
> the system call fails for other reasons than the syscall not being available.
> The seccomp filter can be configured to store a user-defined error code on
> return from a blacklisted syscall. Don't always set ENOSYS on
> do_syscall_trace_enter failure.
>
> Delegate setting ENOSYS in case of failure, where appropriate, to
> do_syscall_trace_enter.
>
> v3:
> - keep setting ENOSYS in the syscall entry assembly for scenarios without
> syscall tracing
>
> v2:
> - move setting ENOSYS as errno from the syscall entry assembly to
> do_syscall_trace_enter, only in the specific case
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> ---
> arch/powerpc/kernel/entry_32.S | 7 ++++++-
> arch/powerpc/kernel/entry_64.S | 5 +++--
> arch/powerpc/kernel/ptrace.c | 4 +++-
> 3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
> index 46fc0f4..b2f88cd 100644
> --- a/arch/powerpc/kernel/entry_32.S
> +++ b/arch/powerpc/kernel/entry_32.S
> @@ -333,12 +333,12 @@ _GLOBAL(DoSyscall)
> lwz r11,TI_FLAGS(r10)
> andi. r11,r11,_TIF_SYSCALL_DOTRACE
> bne- syscall_dotrace
> -syscall_dotrace_cont:
> cmplwi 0,r0,NR_syscalls
> lis r10,sys_call_table@h
> ori r10,r10,sys_call_table@l
> slwi r0,r0,2
> bge- 66f
> +syscall_dotrace_cont:
> lwzx r10,r10,r0 /* Fetch system call handler [ptr] */
> mtlr r10
> addi r9,r1,STACK_FRAME_OVERHEAD
> @@ -457,6 +457,11 @@ syscall_dotrace:
> lwz r7,GPR7(r1)
> lwz r8,GPR8(r1)
> REST_NVGPRS(r1)
> + cmplwi 0,r0,NR_syscalls
> + lis r10,sys_call_table@h
> + ori r10,r10,sys_call_table@l
> + slwi r0,r0,2
> + bge- ret_from_syscall
> b syscall_dotrace_cont
>
> syscall_exit_work:
> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
> index d180caf2..0d22fa8 100644
> --- a/arch/powerpc/kernel/entry_64.S
> +++ b/arch/powerpc/kernel/entry_64.S
> @@ -144,7 +144,6 @@ END_FW_FTR_SECTION_IFSET(FW_FEATURE_SPLPAR)
> ld r10,TI_FLAGS(r11)
> andi. r11,r10,_TIF_SYSCALL_DOTRACE
> bne syscall_dotrace
> -.Lsyscall_dotrace_cont:
> cmpldi 0,r0,NR_syscalls
> bge- syscall_enosys
>
> @@ -253,7 +252,9 @@ syscall_dotrace:
> addi r9,r1,STACK_FRAME_OVERHEAD
> CURRENT_THREAD_INFO(r10, r1)
> ld r10,TI_FLAGS(r10)
> - b .Lsyscall_dotrace_cont
> + cmpldi 0,r0,NR_syscalls
> + bge- syscall_exit
Shouldn't this be .Lsyscall_exit?
> + b system_call
>
> syscall_enosys:
> li r3,-ENOSYS
> diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
> index f21897b..2edae06 100644
> --- a/arch/powerpc/kernel/ptrace.c
> +++ b/arch/powerpc/kernel/ptrace.c
> @@ -1775,13 +1775,15 @@ long do_syscall_trace_enter(struct pt_regs *regs)
> secure_computing_strict(regs->gpr[0]);
>
> if (test_thread_flag(TIF_SYSCALL_TRACE) &&
> - tracehook_report_syscall_entry(regs))
> + tracehook_report_syscall_entry(regs)) {
> /*
> * Tracing decided this syscall should not happen.
> * We'll return a bogus call number to get an ENOSYS
> * error, but leave the original number in regs->gpr[0].
> */
> ret = -1L;
> + syscall_set_return_value(current, regs, ENOSYS, 0);
> + }
>
> if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
> trace_sys_enter(regs, regs->gpr[0]);
>
next prev parent reply other threads:[~2015-02-18 3:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-13 8:22 [PATCH v3 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata
2015-02-13 8:22 ` Bogdan Purcareata
2015-02-13 8:22 ` [PATCH v3 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
2015-02-13 8:22 ` Bogdan Purcareata
2015-02-18 3:01 ` Mike Strosaker [this message]
2015-02-18 3:01 ` Mike Strosaker
2015-02-18 6:50 ` Purcareata Bogdan
2015-02-18 6:50 ` Purcareata Bogdan
2015-02-13 8:22 ` [PATCH v3 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata
2015-02-13 8:22 ` Bogdan Purcareata
2015-02-13 8:22 ` [PATCH v3 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata
2015-02-13 8:22 ` Bogdan Purcareata
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54E4007F.5080603@linux.vnet.ibm.com \
--to=strosake@linux.vnet.ibm.com \
--cc=benh@kernel.crashing.org \
--cc=bogdan.purcareata@freescale.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=pmoore@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.