From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tyler Hicks Subject: Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions Date: Thu, 16 Feb 2017 12:43:14 -0600 Message-ID: References: <1487043928-5982-1-git-send-email-tyhicks@canonical.com> <1487043928-5982-2-git-send-email-tyhicks@canonical.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2714644569611150755==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kees Cook Cc: Will Drewry , LKML , Andy Lutomirski , linux-audit@redhat.com, John Crispin List-Id: linux-audit@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============2714644569611150755== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="f7L6tIEu8pBXeaNSe2h8Sq9NceCUL4hVV" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --f7L6tIEu8pBXeaNSe2h8Sq9NceCUL4hVV Content-Type: multipart/mixed; boundary="RjlXT7vpo0nuIvuM0nVFaqXTga4N6DLuI"; protected-headers="v1" From: Tyler Hicks To: Kees Cook Cc: Paul Moore , Eric Paris , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, LKML , John Crispin Message-ID: Subject: Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions References: <1487043928-5982-1-git-send-email-tyhicks@canonical.com> <1487043928-5982-2-git-send-email-tyhicks@canonical.com> In-Reply-To: --RjlXT7vpo0nuIvuM0nVFaqXTga4N6DLuI Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02/15/2017 07:00 PM, Kees Cook wrote: > On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks wr= ote: >> This patch creates a read-only sysctl containing an ordered list of >> seccomp actions that the kernel supports. The ordering, from left to >> right, is the lowest action value (kill) to the highest action value >> (allow). Currently, a read of the sysctl file would return "kill trap >> errno trace allow". The contents of this sysctl file can be useful for= >> userspace code as well as the system administrator. >> >> The path to the sysctl is: >> >> /proc/sys/kernel/seccomp/actions_avail >> >> libseccomp and other userspace code can easily determine which actions= >> the current kernel supports. The set of actions supported by the curre= nt >> kernel may be different than the set of action macros found in kernel >> headers that were installed where the userspace code was built. >> >> In addition, this sysctl will allow system administrators to know whic= h >> actions are supported by the kernel and make it easier to configure >> exactly what seccomp logs through the audit subsystem. Support for thi= s >> level of logging configuration will come in a future patch. >> >> Signed-off-by: Tyler Hicks >> --- >> Documentation/prctl/seccomp_filter.txt | 16 ++++++++++ >> Documentation/sysctl/kernel.txt | 1 + >> kernel/seccomp.c | 55 +++++++++++++++++++++++++= +++++++++ >> 3 files changed, 72 insertions(+) >> >> diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/pr= ctl/seccomp_filter.txt >> index 1e469ef..a5554ff 100644 >> --- a/Documentation/prctl/seccomp_filter.txt >> +++ b/Documentation/prctl/seccomp_filter.txt >> @@ -166,7 +166,23 @@ The samples/seccomp/ directory contains both an x= 86-specific example >> and a more generic example of a higher level macro interface for BPF >> program generation. >> >> +Sysctls >> +------- >> + >> +Seccomp's sysctl files can be found in the /proc/sys/kernel/seccomp/ >> +directory. Here's a description of each file in that directory: >> + >> +actions_avail: >> + A read-only ordered list of seccomp return values (refer to th= e >> + SECCOMP_RET_* macros above) in string form. The ordering, from= >> + left-to-right, is the least permissive return value to the mos= t >> + permissive return value. >> >> + The list represents the set of seccomp return values supported= >> + by the kernel. A userspace program may use this list to >> + determine if the actions found in the seccomp.h, when the >> + program was built, differs from the set of actions actually >> + supported in the current running kernel. >> >> Adding architecture support >> ----------------------- >> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/ke= rnel.txt >> index a32b4b7..56f9b29 100644 >> --- a/Documentation/sysctl/kernel.txt >> +++ b/Documentation/sysctl/kernel.txt >> @@ -74,6 +74,7 @@ show up in /proc/sys/kernel: >> - reboot-cmd [ SPARC only ] >> - rtsig-max >> - rtsig-nr >> +- seccomp/ =3D=3D> Documentation/prctl/seccomp_fil= ter.txt >> - sem >> - sem_next_id [ sysv ipc ] >> - sg-big-buff [ generic SCSI device (sg) ] >> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >> index f7ce79a..e36dfe9 100644 >> --- a/kernel/seccomp.c >> +++ b/kernel/seccomp.c >> @@ -16,10 +16,12 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >> #include >> #include >> +#include >> >> #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER >> #include >> @@ -905,3 +907,56 @@ long seccomp_get_filter(struct task_struct *task,= unsigned long filter_off, >> return ret; >> } >> #endif >> + >> +#ifdef CONFIG_SYSCTL >> + >> +/* Human readable action names for friendly sysctl interaction */ >> +#define SECCOMP_RET_KILL_NAME "kill" >> +#define SECCOMP_RET_TRAP_NAME "trap" >> +#define SECCOMP_RET_ERRNO_NAME "errno" >> +#define SECCOMP_RET_TRACE_NAME "trace" >> +#define SECCOMP_RET_ALLOW_NAME "allow" >> + >> +static char seccomp_actions_avail[] =3D SECCOMP_RET_KILL_NAME " " >> + SECCOMP_RET_TRAP_NAME " " >> + SECCOMP_RET_ERRNO_NAME " " >> + SECCOMP_RET_TRACE_NAME " " >> + SECCOMP_RET_ALLOW_NAME; >> + >> +static struct ctl_path seccomp_sysctl_path[] =3D { >> + { .procname =3D "kernel", }, >> + { .procname =3D "seccomp", }, >> + { } >> +}; >> + >> +static struct ctl_table seccomp_sysctl_table[] =3D { >> + { >> + .procname =3D "actions_avail", >> + .data =3D &seccomp_actions_avail, >> + .maxlen =3D sizeof(seccomp_actions_avail), >> + .mode =3D 0444, >> + .proc_handler =3D proc_dostring, >> + }, >> + { } >> +}; >> + >> +static int __init seccomp_sysctl_init(void) >> +{ >> + struct ctl_table_header *hdr; >> + >> + hdr =3D register_sysctl_paths(seccomp_sysctl_path, seccomp_sys= ctl_table); >> + if (!hdr) >> + pr_warn("seccomp: sysctl registration failed\n"); >> + else >> + kmemleak_not_leak(hdr); >> + >> + return 0; >> +} >> + >> +#else /* CONFIG_SYSCTL */ >> + >> +static __init int seccomp_sysctl_init(void) { return 0; } >> + >> +#endif /* CONFIG_SYSCTL */ >> + >> +device_initcall(seccomp_sysctl_init) >=20 > Can the device_initcall() just live in the CONFIG_SYSCTL #ifdef to > avoid the #else and stub? Yes. That'll be a nice cleanup. Tyler >=20 > -Kees >=20 --RjlXT7vpo0nuIvuM0nVFaqXTga4N6DLuI-- --f7L6tIEu8pBXeaNSe2h8Sq9NceCUL4hVV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYpfLCAAoJENaSAD2qAscK3ygP/0ICcg9woL1hhQaVgp0VbgzZ sL6CA2an9TKWj8n9EHvhZOWdRNOuqN4lV9XWawHI+86JySZ3W0850JNHezW2iZDv eSTEot2VAMFdwBCkxdU0KfqRV6KYt0vZC/wIV53se5TTodT4bwcmDbgBrQOj9kC4 t/9FV/NXdCEmK3gMEwgTAlsL0qyDteMOgEh1vaEcnQp2jIhS/jPaWzVop+kEEmLY A+n/+U5uIBYP/FmOO3iPekDmg1Wyrr5h9oCOxoZwgvahzt1If6QtDbI2fH09JsKp Y5Am2OwPk4cq3JCIDG/9XsNd88Sa2mA6ifZoO42O59EEVecK3s7DuFENPmNBkT3c 5df88DcmaU0Df/yOGb40oJJI60Ne8yWcz9lj2xlntSxxYWNLyw2CPjzgRIl+4vhd H3bMkJmkbJdY0F4mZ+zqtB4UahxCEdvaVmPOGNoBLkz6v207VIU7pzDLcsDMmoSy fzRkH4lrsX1SiD9TMuAaYDtG345qFbUv7ukZ3EWZTZ7pJgAWmiF8j/jR6q/LLtjL LmPYJ9RKSbGLXfYehEHiYRXG4X38fNbKTBteYULzi0fYe+ZisfyfVyJMu5QPYL66 oL7qpWhM+LH3EvNEJE2v/xUCUjopRhUJqFgh/BFgobURvuz9SXtKWYjUpeYk8Oll b2I5yt4tgJHp5bMcTc3q =jiTA -----END PGP SIGNATURE----- --f7L6tIEu8pBXeaNSe2h8Sq9NceCUL4hVV-- --===============2714644569611150755== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2714644569611150755==--