Linux Documentation
 help / color / mirror / Atom feed
From: Jinjie Ruan <ruanjinjie@huawei.com>
To: Thomas Gleixner <tglx@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Cc: "Peter Zijlstra" <peterz@infradead.org>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Kees Cook" <kees@kernel.org>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Oleg Nesterov" <oleg@redhat.com>,
	"Richard Henderson" <richard.henderson@linaro.org>,
	"Russell King" <linux@armlinux.org.uk>,
	"Catalin Marinas" <catalin.marinas@arm.com>,
	"Guo Ren" <guoren@kernel.org>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>,
	"Thomas Bogendoerfer" <tsbogend@alpha.franken.de>,
	"Helge Deller" <deller@gmx.de>,
	"Yoshinori Sato" <ysato@users.sourceforge.jp>,
	"Richard Weinberger" <richard@nod.at>,
	"Chris Zankel" <chris@zankel.net>,
	linux-arm-kernel@lists.infradead.org,
	linux-alpha@vger.kernel.org, linux-csky@vger.kernel.org,
	linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org,
	linux-parisc@vger.kernel.org, linux-sh@vger.kernel.org,
	linux-um@lists.infradead.org,
	"Michael Ellerman" <mpe@ellerman.id.au>,
	"Shrikanth Hegde" <sshegde@linux.ibm.com>,
	linuxppc-dev@lists.ozlabs.org,
	"Huacai Chen" <chenhuacai@kernel.org>,
	loongarch@lists.linux.dev, "Paul Walmsley" <pjw@kernel.org>,
	"Palmer Dabbelt" <palmer@dabbelt.com>,
	linux-riscv@lists.infradead.org,
	"Sven Schnelle" <svens@linux.ibm.com>,
	linux-s390@vger.kernel.org, x86@kernel.org,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Vineet Gupta" <vgupta@kernel.org>,
	"Will Deacon" <will@kernel.org>, "Brian Cain" <bcain@kernel.org>,
	"Michal Simek" <monstr@monstr.eu>,
	"Dinh Nguyen" <dinguyen@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	"Andreas Larsson" <andreas@gaisler.com>,
	linux-snps-arc@lists.infradead.org,
	linux-hexagon@vger.kernel.org, linux-openrisc@vger.kernel.org,
	sparclinux@vger.kernel.org, linux-arch@vger.kernel.org,
	"Michal Suchánek" <msuchanek@suse.de>,
	"Jonathan Corbet" <corbet@lwn.net>,
	linux-doc@vger.kernel.org
Subject: Re: [patch 11/18] seccomp, treewide: Rename and convert __secure_computing() to return boolean
Date: Wed, 8 Jul 2026 09:43:46 +0800	[thread overview]
Message-ID: <2e6ed364-ce8f-4b4b-8675-acd07f140f4f@huawei.com> (raw)
In-Reply-To: <20260707190254.230735780@kernel.org>



On 7/8/2026 3:06 AM, Thomas Gleixner wrote:
> From: Jinjie Ruan <ruanjinjie@huawei.com>
> 
> The return value of __secure_computing() currently uses 0 to indicate
> that a system call should be allowed, and -1 to indicate that it should
> be blocked/killed. This 0/-1 pattern is non-intuitive for a security
> check function and makes the control flow at the call sites less readable.
> 
> Furthermore, any potential future changes to these return values would
> require a high-risk, error-prone audit of all its users across different
> architectures.
> 
> Sanitize this logic by converting the return type of __secure_computing()
> to a proper boolean, where 'true' explicitly means 'allow' and 'false'
> means 'fail/deny'.
> 
> Update all the two dozen or so call sites across the tree to align with
> this new boolean semantic. No functional changes are intended, as the
> callers still return -1 to the lower-level assembly entry code upon
> seccomp denial.
> 
> Rename the function to __seccomp_permit_syscall() so that the purpose is
> entirely clear.
> 
> [ tglx: Rename the function ]
> 
> Suggested-by: Thomas Gleixner <tglx@kernel.org>
> Suggested-by: Mark Rutland <mark.rutland@arm.com>
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Signed-off-by: Thomas Gleixner <tglx@kernel.org>
> Cc: Kees Cook <kees@kernel.org>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Richard Henderson <richard.henderson@linaro.org>
> Cc: Russell King <linux@armlinux.org.uk>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Guo Ren <guoren@kernel.org>
> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> Cc: Helge Deller <deller@gmx.de>
> Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
> Cc: Richard Weinberger <richard@nod.at>
> Cc: Chris Zankel <chris@zankel.net>
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-alpha@vger.kernel.org
> Cc: linux-csky@vger.kernel.org
> Cc: linux-m68k@lists.linux-m68k.org
> Cc: linux-mips@vger.kernel.org
> Cc: linux-parisc@vger.kernel.org
> Cc: linux-sh@vger.kernel.org
> Cc: linux-um@lists.infradead.org
> ---
>  arch/alpha/kernel/ptrace.c            |    2 -
>  arch/arm/kernel/ptrace.c              |    2 -
>  arch/arm64/kernel/ptrace.c            |    2 -
>  arch/csky/kernel/ptrace.c             |    2 -
>  arch/m68k/kernel/ptrace.c             |    2 -
>  arch/mips/kernel/ptrace.c             |    2 -
>  arch/parisc/kernel/ptrace.c           |    2 -
>  arch/sh/kernel/ptrace_32.c            |    2 -
>  arch/um/kernel/skas/syscall.c         |    2 -
>  arch/x86/entry/vsyscall/vsyscall_64.c |   14 ++++++-------
>  arch/xtensa/kernel/ptrace.c           |    3 --
>  include/linux/entry-common.h          |    9 +++-----
>  include/linux/seccomp.h               |   12 +++++------
>  kernel/seccomp.c                      |   35 +++++++++++++++++-----------------
>  14 files changed, 45 insertions(+), 46 deletions(-)

As Ada pointed out, the description of secure_computing in arch/Kconfig
need to be updated, a possible suggestion:

--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -636,8 +636,8 @@ config HAVE_ARCH_SECCOMP_FILTER
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
-         - secure_computing is called from a ptrace_event()-safe context
-         - secure_computing return value is checked and a return value
of -1
+         - seccomp_permits_syscall is called from a ptrace_event()-safe
context
+         - seccomp_permits_syscall return value is checked and if false


Link:
https://lore.kernel.org/all/b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com/

> --- a/arch/alpha/kernel/ptrace.c
> +++ b/arch/alpha/kernel/ptrace.c
> @@ -387,7 +387,7 @@ asmlinkage unsigned long syscall_trace_e
>  	 * If this fails, seccomp may already have set up the return value
>  	 * (e.g. SECCOMP_RET_ERRNO / TRACE).
>  	 */
> -	if (secure_computing() == -1) {
> +	if (!seccomp_permit_syscall()) {
>  		if (regs->r19 == 0 && regs->r0 == (unsigned long)-1)
>  			syscall_set_return_value(current, regs, -ENOSYS, 0);
>  		syscall_set_nr(current, regs, -1);

[...]

> -static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> +static bool __seccomp_filter(int this_syscall, const bool recheck_after_trace)
>  {
>  	u32 filter_ret, action;
>  	struct seccomp_data sd;
> @@ -1294,7 +1295,7 @@ static int __seccomp_filter(int this_sys
>  	case SECCOMP_RET_TRACE:
>  		/* We've been put in this state by the ptracer already. */
>  		if (recheck_after_trace)
> -			return 0;
> +			return true;
>  
>  		/* ENOSYS these calls if there is no tracer attached. */
>  		if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) {
> @@ -1330,19 +1331,19 @@ static int __seccomp_filter(int this_sys
>  		 * a skip would have already been reported.
>  		 */
>  		if (__seccomp_filter(this_syscall, true))
> -			return -1;
> +			return false;

The return value of __seccomp_filter is checked in the wrong way, check
-1 should be replaced with check false, maybe:

-               if (__seccomp_filter(this_syscall, true))
-                       return -1;
+               if (!__seccomp_filter(this_syscall, true))
+                       return false;

otherwise,

LGTM
Reviewed-by: Jinjie Ruan <ruanjinjie@huawei.com>

>  
> -		return 0;
> +		return true;
>  
>  	case SECCOMP_RET_USER_NOTIF:
>  		if (seccomp_do_user_notification(this_syscall, match, &sd))
>  			goto skip;
>  
> -		return 0;
> +		return true;
>  
>  	case SECCOMP_RET_LOG:
>  		seccomp_log(this_syscall, 0, action, true);
> -		return 0;
> +		return true;
>  
>  	case SECCOMP_RET_ALLOW:
>  		/*
> @@ -1350,7 +1351,7 @@ static int __seccomp_filter(int this_sys
>  		 * this action since SECCOMP_RET_ALLOW is the starting
>  		 * state in seccomp_run_filters().
>  		 */
> -		return 0;
> +		return true;
>  
>  	case SECCOMP_RET_KILL_THREAD:
>  	case SECCOMP_RET_KILL_PROCESS:
> @@ -1367,46 +1368,46 @@ static int __seccomp_filter(int this_sys
>  		} else {
>  			do_exit(SIGSYS);
>  		}
> -		return -1; /* skip the syscall go directly to signal handling */
> +		return false; /* skip the syscall go directly to signal handling */
>  	}
>  
>  	unreachable();
>  
>  skip:
>  	seccomp_log(this_syscall, 0, action, match ? match->log : false);
> -	return -1;
> +	return false;
>  }
>  #else
> -static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> +static bool __seccomp_filter(int this_syscall, const bool recheck_after_trace)
>  {
>  	BUG();
>  
> -	return -1;
> +	return false;
>  }
>  #endif
>  
> -int __secure_computing(void)
> +bool __seccomp_permit_syscall(void)
>  {
>  	int mode = current->seccomp.mode;
>  	int this_syscall;
>  
>  	if (IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) &&
>  	    unlikely(current->ptrace & PT_SUSPEND_SECCOMP))
> -		return 0;
> +		return true;
>  
>  	this_syscall = syscall_get_nr(current, current_pt_regs());
>  
>  	switch (mode) {
>  	case SECCOMP_MODE_STRICT:
>  		__secure_computing_strict(this_syscall);  /* may call do_exit */
> -		return 0;
> +		return true;
>  	case SECCOMP_MODE_FILTER:
>  		return __seccomp_filter(this_syscall, false);
>  	/* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
>  	case SECCOMP_MODE_DEAD:
>  		WARN_ON_ONCE(1);
>  		do_exit(SIGKILL);
> -		return -1;
> +		return false;
>  	default:
>  		BUG();
>  	}
> 


  reply	other threads:[~2026-07-08  1:43 UTC|newest]

Thread overview: 94+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07 19:05 [patch 00/18] entry: Consolidate and rework syscall entry handling Thomas Gleixner
2026-07-07 19:05 ` [patch 01/18] powerpc: Move stack randomization after syscall_enter_from_user_mode() Thomas Gleixner
2026-07-08 14:07   ` Shrikanth Hegde
2026-07-08 17:22   ` Radu Rendec
2026-07-09  1:20   ` Jinjie Ruan
2026-07-09 11:12   ` Philippe Mathieu-Daudé
2026-07-09 18:32   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 02/18] randomize_kstack: Provide add_random_kstack_offset_irqsoff() Thomas Gleixner
2026-07-08 17:24   ` Radu Rendec
2026-07-09  2:13   ` Jinjie Ruan
2026-07-09 16:23   ` Kees Cook
2026-07-09 18:34   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 03/18] entry: Provide [syscall_]enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 17:26   ` Radu Rendec
2026-07-09  2:34   ` Jinjie Ruan
2026-07-09  3:46   ` Jinjie Ruan
2026-07-09 11:15   ` Philippe Mathieu-Daudé
2026-07-09 20:16   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 04/18] loongarch/syscall: Use syscall_enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 18:37   ` Radu Rendec
2026-07-09  2:37   ` Jinjie Ruan
2026-07-09 11:15   ` Philippe Mathieu-Daudé
2026-07-09 18:40   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 05/18] powerpc/syscall: " Thomas Gleixner
2026-07-08 18:35   ` Radu Rendec
2026-07-09  2:38   ` Jinjie Ruan
2026-07-09 11:16   ` Philippe Mathieu-Daudé
2026-07-09 18:41   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 06/18] riscv/syscall: " Thomas Gleixner
2026-07-08 20:57   ` Radu Rendec
2026-07-09  2:38   ` Jinjie Ruan
2026-07-09 11:16   ` Philippe Mathieu-Daudé
2026-07-09 18:42   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 07/18] s390/syscall: Use enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08  6:47   ` Sven Schnelle
2026-07-08 20:57   ` Radu Rendec
2026-07-09  2:39   ` Jinjie Ruan
2026-07-09  2:46   ` Jinjie Ruan
2026-07-09 11:17     ` Philippe Mathieu-Daudé
2026-07-09 18:43   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 08/18] x86/syscall: Use [syscall_]enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 20:59   ` Radu Rendec
2026-07-09  2:44   ` Jinjie Ruan
2026-07-09 11:18   ` Philippe Mathieu-Daudé
2026-07-09 18:45   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 09/18] entry: Remove syscall_enter_from_user_mode() Thomas Gleixner
2026-07-08 21:21   ` Radu Rendec
2026-07-08 22:08     ` Thomas Gleixner
2026-07-09  2:49   ` Jinjie Ruan
2026-07-09 18:49   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 10/18] entry: Use syscall number instead of rereading it Thomas Gleixner
2026-07-08 21:39   ` Radu Rendec
2026-07-09  2:55   ` Jinjie Ruan
2026-07-09 11:20   ` Philippe Mathieu-Daudé
2026-07-09 11:22     ` Philippe Mathieu-Daudé
2026-07-09 18:50   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 11/18] seccomp, treewide: Rename and convert __secure_computing() to return boolean Thomas Gleixner
2026-07-08  1:43   ` Jinjie Ruan [this message]
2026-07-08  9:15     ` Thomas Gleixner
2026-07-08 16:04       ` Oleg Nesterov
2026-07-08 21:49         ` Thomas Gleixner
2026-07-09 16:22   ` Kees Cook
2026-07-09 19:10   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 12/18] ptrace, treewide: Rename ptrace_report_syscall_entry() to ptrace_report_syscall_permit_entry() Thomas Gleixner
2026-07-08 15:46   ` Oleg Nesterov
2026-07-09  1:41   ` Jinjie Ruan
2026-07-09  8:41   ` Geert Uytterhoeven
2026-07-09 17:03   ` Radu Rendec
2026-07-09 19:22   ` Mukesh Kumar Chaurasiya
2026-07-10 10:42   ` Michal Suchánek
2026-07-10 11:16     ` Oleg Nesterov
2026-07-07 19:06 ` [patch 13/18] entry: Make trace_syscall_enter() return type bool Thomas Gleixner
2026-07-08 15:52   ` Michal Suchánek
2026-07-08 20:34     ` Thomas Gleixner
2026-07-08 23:14       ` Thomas Gleixner
2026-07-09 16:26         ` David Laight
2026-07-10 11:01       ` Michal Suchánek
2026-07-10 11:40         ` Oleg Nesterov
2026-07-10 12:32           ` Michal Suchánek
2026-07-10 12:52             ` Oleg Nesterov
2026-07-10 15:20               ` Michal Suchánek
2026-07-07 19:06 ` [patch 14/18] entry: Make return type of syscall_trace_enter() bool Thomas Gleixner
2026-07-09 19:36   ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 15/18] x86/entry: Make syscall functions static Thomas Gleixner
2026-07-09  1:47   ` Jinjie Ruan
2026-07-09 19:43   ` Mukesh Kumar Chaurasiya
2026-07-07 19:07 ` [patch 16/18] x86/entry: Get rid of the sys_ni_syscall() indirection Thomas Gleixner
2026-07-09  2:03   ` Jinjie Ruan
2026-07-07 19:07 ` [patch 17/18] x86/entry: Simplify the syscall number logic Thomas Gleixner
2026-07-07 19:07 ` [patch 18/18] entry, treewide: Make syscall_enter_from_user_mode[_work]() indicate syscall execution Thomas Gleixner
2026-07-08  5:21   ` Shrikanth Hegde
2026-07-08  9:16     ` Thomas Gleixner
2026-07-09 19:49   ` Mukesh Kumar Chaurasiya
2026-07-09 20:15 ` [patch 00/18] entry: Consolidate and rework syscall entry handling Mukesh Kumar Chaurasiya

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2e6ed364-ce8f-4b4b-8675-acd07f140f4f@huawei.com \
    --to=ruanjinjie@huawei.com \
    --cc=andreas@gaisler.com \
    --cc=arnd@arndb.de \
    --cc=bcain@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=chenhuacai@kernel.org \
    --cc=chris@zankel.net \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=deller@gmx.de \
    --cc=dinguyen@kernel.org \
    --cc=geert@linux-m68k.org \
    --cc=guoren@kernel.org \
    --cc=kees@kernel.org \
    --cc=linux-alpha@vger.kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-csky@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-hexagon@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-m68k@lists.linux-m68k.org \
    --cc=linux-mips@vger.kernel.org \
    --cc=linux-openrisc@vger.kernel.org \
    --cc=linux-parisc@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-sh@vger.kernel.org \
    --cc=linux-snps-arc@lists.infradead.org \
    --cc=linux-um@lists.infradead.org \
    --cc=linux@armlinux.org.uk \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=loongarch@lists.linux.dev \
    --cc=luto@kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=monstr@monstr.eu \
    --cc=mpe@ellerman.id.au \
    --cc=msuchanek@suse.de \
    --cc=oleg@redhat.com \
    --cc=palmer@dabbelt.com \
    --cc=peterz@infradead.org \
    --cc=pjw@kernel.org \
    --cc=richard.henderson@linaro.org \
    --cc=richard@nod.at \
    --cc=sparclinux@vger.kernel.org \
    --cc=sshegde@linux.ibm.com \
    --cc=svens@linux.ibm.com \
    --cc=tglx@kernel.org \
    --cc=tsbogend@alpha.franken.de \
    --cc=vgupta@kernel.org \
    --cc=will@kernel.org \
    --cc=x86@kernel.org \
    --cc=ysato@users.sourceforge.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox