From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH v9 2/4] seccomp: switch system call argument type to void * Date: Sun, 2 Dec 2018 23:01:08 -0600 Message-ID: <20181203050108.GB31406@mail.hallyn.com> References: <20181203032827.27978-1-tycho@tycho.ws> <20181203032827.27978-3-tycho@tycho.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20181203032827.27978-3-tycho@tycho.ws> Sender: linux-kernel-owner@vger.kernel.org To: Tycho Andersen , Michael Kerrisk , Paul Moore Cc: Kees Cook , Andy Lutomirski , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Aleksa Sarai , Jann Horn , linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org List-Id: linux-api@vger.kernel.org On Sun, Dec 02, 2018 at 08:28:25PM -0700, Tycho Andersen wrote: > The const qualifier causes problems for any code that wants to write to the > third argument of the seccomp syscall, as we will do in a future patch in > this series. > > The third argument to the seccomp syscall is documented as void *, so > rather than just dropping the const, let's switch everything to use void * > as well. > > I believe this is safe because of 1. the documentation above, 2. there's no > real type information exported about syscalls anywhere besides the man > pages. > > Signed-off-by: Tycho Andersen > CC: Kees Cook > CC: Andy Lutomirski > CC: Oleg Nesterov > CC: Eric W. Biederman > CC: "Serge E. Hallyn" Acked-by: Serge Hallyn Though I'm not entirely convinced there will be no ill effects of changing the argument type. I'll feel comfortable when Michael and Paul say it's fine :) > CC: Christian Brauner > CC: Tyler Hicks > CC: Akihiro Suda > --- > include/linux/seccomp.h | 2 +- > kernel/seccomp.c | 8 ++++---- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h > index e5320f6c8654..b5103c019cf4 100644 > --- a/include/linux/seccomp.h > +++ b/include/linux/seccomp.h > @@ -43,7 +43,7 @@ extern void secure_computing_strict(int this_syscall); > #endif > > extern long prctl_get_seccomp(void); > -extern long prctl_set_seccomp(unsigned long, char __user *); > +extern long prctl_set_seccomp(unsigned long, void __user *); > > static inline int seccomp_mode(struct seccomp *s) > { > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 96afc32e041d..393e029f778a 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -924,7 +924,7 @@ static long seccomp_get_action_avail(const char __user *uaction) > > /* Common entry point for both prctl and syscall. */ > static long do_seccomp(unsigned int op, unsigned int flags, > - const char __user *uargs) > + void __user *uargs) > { > switch (op) { > case SECCOMP_SET_MODE_STRICT: > @@ -944,7 +944,7 @@ static long do_seccomp(unsigned int op, unsigned int flags, > } > > SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags, > - const char __user *, uargs) > + void __user *, uargs) > { > return do_seccomp(op, flags, uargs); > } > @@ -956,10 +956,10 @@ SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags, > * > * Returns 0 on success or -EINVAL on failure. > */ > -long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter) > +long prctl_set_seccomp(unsigned long seccomp_mode, void __user *filter) > { > unsigned int op; > - char __user *uargs; > + void __user *uargs; > > switch (seccomp_mode) { > case SECCOMP_MODE_STRICT: > -- > 2.19.1