From: Jinjie Ruan <ruanjinjie@huawei.com>
To: Thomas Gleixner <tglx@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Cc: "Peter Zijlstra" <peterz@infradead.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Kees Cook" <kees@kernel.org>,
"Andy Lutomirski" <luto@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Russell King" <linux@armlinux.org.uk>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Guo Ren" <guoren@kernel.org>,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
"Thomas Bogendoerfer" <tsbogend@alpha.franken.de>,
"Helge Deller" <deller@gmx.de>,
"Yoshinori Sato" <ysato@users.sourceforge.jp>,
"Richard Weinberger" <richard@nod.at>,
"Chris Zankel" <chris@zankel.net>,
linux-arm-kernel@lists.infradead.org,
linux-alpha@vger.kernel.org, linux-csky@vger.kernel.org,
linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org,
linux-parisc@vger.kernel.org, linux-sh@vger.kernel.org,
linux-um@lists.infradead.org,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Shrikanth Hegde" <sshegde@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org,
"Huacai Chen" <chenhuacai@kernel.org>,
loongarch@lists.linux.dev, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org, x86@kernel.org,
"Arnd Bergmann" <arnd@arndb.de>,
"Vineet Gupta" <vgupta@kernel.org>,
"Will Deacon" <will@kernel.org>, "Brian Cain" <bcain@kernel.org>,
"Michal Simek" <monstr@monstr.eu>,
"Dinh Nguyen" <dinguyen@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Andreas Larsson" <andreas@gaisler.com>,
linux-snps-arc@lists.infradead.org,
linux-hexagon@vger.kernel.org, linux-openrisc@vger.kernel.org,
sparclinux@vger.kernel.org, linux-arch@vger.kernel.org,
"Michal Suchánek" <msuchanek@suse.de>,
"Jonathan Corbet" <corbet@lwn.net>,
linux-doc@vger.kernel.org
Subject: Re: [patch 11/18] seccomp, treewide: Rename and convert __secure_computing() to return boolean
Date: Wed, 8 Jul 2026 09:43:46 +0800 [thread overview]
Message-ID: <2e6ed364-ce8f-4b4b-8675-acd07f140f4f@huawei.com> (raw)
In-Reply-To: <20260707190254.230735780@kernel.org>
On 7/8/2026 3:06 AM, Thomas Gleixner wrote:
> From: Jinjie Ruan <ruanjinjie@huawei.com>
>
> The return value of __secure_computing() currently uses 0 to indicate
> that a system call should be allowed, and -1 to indicate that it should
> be blocked/killed. This 0/-1 pattern is non-intuitive for a security
> check function and makes the control flow at the call sites less readable.
>
> Furthermore, any potential future changes to these return values would
> require a high-risk, error-prone audit of all its users across different
> architectures.
>
> Sanitize this logic by converting the return type of __secure_computing()
> to a proper boolean, where 'true' explicitly means 'allow' and 'false'
> means 'fail/deny'.
>
> Update all the two dozen or so call sites across the tree to align with
> this new boolean semantic. No functional changes are intended, as the
> callers still return -1 to the lower-level assembly entry code upon
> seccomp denial.
>
> Rename the function to __seccomp_permit_syscall() so that the purpose is
> entirely clear.
>
> [ tglx: Rename the function ]
>
> Suggested-by: Thomas Gleixner <tglx@kernel.org>
> Suggested-by: Mark Rutland <mark.rutland@arm.com>
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Signed-off-by: Thomas Gleixner <tglx@kernel.org>
> Cc: Kees Cook <kees@kernel.org>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Richard Henderson <richard.henderson@linaro.org>
> Cc: Russell King <linux@armlinux.org.uk>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Guo Ren <guoren@kernel.org>
> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> Cc: Helge Deller <deller@gmx.de>
> Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
> Cc: Richard Weinberger <richard@nod.at>
> Cc: Chris Zankel <chris@zankel.net>
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-alpha@vger.kernel.org
> Cc: linux-csky@vger.kernel.org
> Cc: linux-m68k@lists.linux-m68k.org
> Cc: linux-mips@vger.kernel.org
> Cc: linux-parisc@vger.kernel.org
> Cc: linux-sh@vger.kernel.org
> Cc: linux-um@lists.infradead.org
> ---
> arch/alpha/kernel/ptrace.c | 2 -
> arch/arm/kernel/ptrace.c | 2 -
> arch/arm64/kernel/ptrace.c | 2 -
> arch/csky/kernel/ptrace.c | 2 -
> arch/m68k/kernel/ptrace.c | 2 -
> arch/mips/kernel/ptrace.c | 2 -
> arch/parisc/kernel/ptrace.c | 2 -
> arch/sh/kernel/ptrace_32.c | 2 -
> arch/um/kernel/skas/syscall.c | 2 -
> arch/x86/entry/vsyscall/vsyscall_64.c | 14 ++++++-------
> arch/xtensa/kernel/ptrace.c | 3 --
> include/linux/entry-common.h | 9 +++-----
> include/linux/seccomp.h | 12 +++++------
> kernel/seccomp.c | 35 +++++++++++++++++-----------------
> 14 files changed, 45 insertions(+), 46 deletions(-)
As Ada pointed out, the description of secure_computing in arch/Kconfig
need to be updated, a possible suggestion:
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -636,8 +636,8 @@ config HAVE_ARCH_SECCOMP_FILTER
- syscall_rollback()
- syscall_set_return_value()
- SIGSYS siginfo_t support
- - secure_computing is called from a ptrace_event()-safe context
- - secure_computing return value is checked and a return value
of -1
+ - seccomp_permits_syscall is called from a ptrace_event()-safe
context
+ - seccomp_permits_syscall return value is checked and if false
Link:
https://lore.kernel.org/all/b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com/
> --- a/arch/alpha/kernel/ptrace.c
> +++ b/arch/alpha/kernel/ptrace.c
> @@ -387,7 +387,7 @@ asmlinkage unsigned long syscall_trace_e
> * If this fails, seccomp may already have set up the return value
> * (e.g. SECCOMP_RET_ERRNO / TRACE).
> */
> - if (secure_computing() == -1) {
> + if (!seccomp_permit_syscall()) {
> if (regs->r19 == 0 && regs->r0 == (unsigned long)-1)
> syscall_set_return_value(current, regs, -ENOSYS, 0);
> syscall_set_nr(current, regs, -1);
[...]
> -static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> +static bool __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> {
> u32 filter_ret, action;
> struct seccomp_data sd;
> @@ -1294,7 +1295,7 @@ static int __seccomp_filter(int this_sys
> case SECCOMP_RET_TRACE:
> /* We've been put in this state by the ptracer already. */
> if (recheck_after_trace)
> - return 0;
> + return true;
>
> /* ENOSYS these calls if there is no tracer attached. */
> if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) {
> @@ -1330,19 +1331,19 @@ static int __seccomp_filter(int this_sys
> * a skip would have already been reported.
> */
> if (__seccomp_filter(this_syscall, true))
> - return -1;
> + return false;
The return value of __seccomp_filter is checked in the wrong way, check
-1 should be replaced with check false, maybe:
- if (__seccomp_filter(this_syscall, true))
- return -1;
+ if (!__seccomp_filter(this_syscall, true))
+ return false;
otherwise,
LGTM
Reviewed-by: Jinjie Ruan <ruanjinjie@huawei.com>
>
> - return 0;
> + return true;
>
> case SECCOMP_RET_USER_NOTIF:
> if (seccomp_do_user_notification(this_syscall, match, &sd))
> goto skip;
>
> - return 0;
> + return true;
>
> case SECCOMP_RET_LOG:
> seccomp_log(this_syscall, 0, action, true);
> - return 0;
> + return true;
>
> case SECCOMP_RET_ALLOW:
> /*
> @@ -1350,7 +1351,7 @@ static int __seccomp_filter(int this_sys
> * this action since SECCOMP_RET_ALLOW is the starting
> * state in seccomp_run_filters().
> */
> - return 0;
> + return true;
>
> case SECCOMP_RET_KILL_THREAD:
> case SECCOMP_RET_KILL_PROCESS:
> @@ -1367,46 +1368,46 @@ static int __seccomp_filter(int this_sys
> } else {
> do_exit(SIGSYS);
> }
> - return -1; /* skip the syscall go directly to signal handling */
> + return false; /* skip the syscall go directly to signal handling */
> }
>
> unreachable();
>
> skip:
> seccomp_log(this_syscall, 0, action, match ? match->log : false);
> - return -1;
> + return false;
> }
> #else
> -static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> +static bool __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> {
> BUG();
>
> - return -1;
> + return false;
> }
> #endif
>
> -int __secure_computing(void)
> +bool __seccomp_permit_syscall(void)
> {
> int mode = current->seccomp.mode;
> int this_syscall;
>
> if (IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) &&
> unlikely(current->ptrace & PT_SUSPEND_SECCOMP))
> - return 0;
> + return true;
>
> this_syscall = syscall_get_nr(current, current_pt_regs());
>
> switch (mode) {
> case SECCOMP_MODE_STRICT:
> __secure_computing_strict(this_syscall); /* may call do_exit */
> - return 0;
> + return true;
> case SECCOMP_MODE_FILTER:
> return __seccomp_filter(this_syscall, false);
> /* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
> case SECCOMP_MODE_DEAD:
> WARN_ON_ONCE(1);
> do_exit(SIGKILL);
> - return -1;
> + return false;
> default:
> BUG();
> }
>
next prev parent reply other threads:[~2026-07-08 1:43 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 19:05 [patch 00/18] entry: Consolidate and rework syscall entry handling Thomas Gleixner
2026-07-07 19:05 ` [patch 01/18] powerpc: Move stack randomization after syscall_enter_from_user_mode() Thomas Gleixner
2026-07-08 14:07 ` Shrikanth Hegde
2026-07-08 17:22 ` Radu Rendec
2026-07-09 1:20 ` Jinjie Ruan
2026-07-09 11:12 ` Philippe Mathieu-Daudé
2026-07-09 18:32 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 02/18] randomize_kstack: Provide add_random_kstack_offset_irqsoff() Thomas Gleixner
2026-07-08 17:24 ` Radu Rendec
2026-07-09 2:13 ` Jinjie Ruan
2026-07-09 16:23 ` Kees Cook
2026-07-09 18:34 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 03/18] entry: Provide [syscall_]enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 17:26 ` Radu Rendec
2026-07-09 2:34 ` Jinjie Ruan
2026-07-09 3:46 ` Jinjie Ruan
2026-07-09 11:15 ` Philippe Mathieu-Daudé
2026-07-09 20:16 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 04/18] loongarch/syscall: Use syscall_enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 18:37 ` Radu Rendec
2026-07-09 2:37 ` Jinjie Ruan
2026-07-09 11:15 ` Philippe Mathieu-Daudé
2026-07-09 18:40 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 05/18] powerpc/syscall: " Thomas Gleixner
2026-07-08 18:35 ` Radu Rendec
2026-07-09 2:38 ` Jinjie Ruan
2026-07-09 11:16 ` Philippe Mathieu-Daudé
2026-07-09 18:41 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 06/18] riscv/syscall: " Thomas Gleixner
2026-07-08 20:57 ` Radu Rendec
2026-07-09 2:38 ` Jinjie Ruan
2026-07-09 11:16 ` Philippe Mathieu-Daudé
2026-07-09 18:42 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 07/18] s390/syscall: Use enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 6:47 ` Sven Schnelle
2026-07-08 20:57 ` Radu Rendec
2026-07-09 2:39 ` Jinjie Ruan
2026-07-09 2:46 ` Jinjie Ruan
2026-07-09 11:17 ` Philippe Mathieu-Daudé
2026-07-09 18:43 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 08/18] x86/syscall: Use [syscall_]enter_from_user_mode_randomize_stack() Thomas Gleixner
2026-07-08 20:59 ` Radu Rendec
2026-07-09 2:44 ` Jinjie Ruan
2026-07-09 11:18 ` Philippe Mathieu-Daudé
2026-07-09 18:45 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 09/18] entry: Remove syscall_enter_from_user_mode() Thomas Gleixner
2026-07-08 21:21 ` Radu Rendec
2026-07-08 22:08 ` Thomas Gleixner
2026-07-09 2:49 ` Jinjie Ruan
2026-07-09 18:49 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 10/18] entry: Use syscall number instead of rereading it Thomas Gleixner
2026-07-08 21:39 ` Radu Rendec
2026-07-09 2:55 ` Jinjie Ruan
2026-07-09 11:20 ` Philippe Mathieu-Daudé
2026-07-09 11:22 ` Philippe Mathieu-Daudé
2026-07-09 18:50 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 11/18] seccomp, treewide: Rename and convert __secure_computing() to return boolean Thomas Gleixner
2026-07-08 1:43 ` Jinjie Ruan [this message]
2026-07-08 9:15 ` Thomas Gleixner
2026-07-08 16:04 ` Oleg Nesterov
2026-07-08 21:49 ` Thomas Gleixner
2026-07-09 16:22 ` Kees Cook
2026-07-09 19:10 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 12/18] ptrace, treewide: Rename ptrace_report_syscall_entry() to ptrace_report_syscall_permit_entry() Thomas Gleixner
2026-07-08 15:46 ` Oleg Nesterov
2026-07-09 1:41 ` Jinjie Ruan
2026-07-09 8:41 ` Geert Uytterhoeven
2026-07-09 17:03 ` Radu Rendec
2026-07-09 19:22 ` Mukesh Kumar Chaurasiya
2026-07-10 10:42 ` Michal Suchánek
2026-07-10 11:16 ` Oleg Nesterov
2026-07-07 19:06 ` [patch 13/18] entry: Make trace_syscall_enter() return type bool Thomas Gleixner
2026-07-08 15:52 ` Michal Suchánek
2026-07-08 20:34 ` Thomas Gleixner
2026-07-08 23:14 ` Thomas Gleixner
2026-07-09 16:26 ` David Laight
2026-07-10 11:01 ` Michal Suchánek
2026-07-10 11:40 ` Oleg Nesterov
2026-07-10 12:32 ` Michal Suchánek
2026-07-10 12:52 ` Oleg Nesterov
2026-07-10 15:20 ` Michal Suchánek
2026-07-07 19:06 ` [patch 14/18] entry: Make return type of syscall_trace_enter() bool Thomas Gleixner
2026-07-09 19:36 ` Mukesh Kumar Chaurasiya
2026-07-07 19:06 ` [patch 15/18] x86/entry: Make syscall functions static Thomas Gleixner
2026-07-09 1:47 ` Jinjie Ruan
2026-07-09 19:43 ` Mukesh Kumar Chaurasiya
2026-07-07 19:07 ` [patch 16/18] x86/entry: Get rid of the sys_ni_syscall() indirection Thomas Gleixner
2026-07-09 2:03 ` Jinjie Ruan
2026-07-07 19:07 ` [patch 17/18] x86/entry: Simplify the syscall number logic Thomas Gleixner
2026-07-07 19:07 ` [patch 18/18] entry, treewide: Make syscall_enter_from_user_mode[_work]() indicate syscall execution Thomas Gleixner
2026-07-08 5:21 ` Shrikanth Hegde
2026-07-08 9:16 ` Thomas Gleixner
2026-07-09 19:49 ` Mukesh Kumar Chaurasiya
2026-07-09 20:15 ` [patch 00/18] entry: Consolidate and rework syscall entry handling Mukesh Kumar Chaurasiya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2e6ed364-ce8f-4b4b-8675-acd07f140f4f@huawei.com \
--to=ruanjinjie@huawei.com \
--cc=andreas@gaisler.com \
--cc=arnd@arndb.de \
--cc=bcain@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@kernel.org \
--cc=chris@zankel.net \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dinguyen@kernel.org \
--cc=geert@linux-m68k.org \
--cc=guoren@kernel.org \
--cc=kees@kernel.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-csky@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hexagon@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-openrisc@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=linux-um@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=loongarch@lists.linux.dev \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=monstr@monstr.eu \
--cc=mpe@ellerman.id.au \
--cc=msuchanek@suse.de \
--cc=oleg@redhat.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=richard.henderson@linaro.org \
--cc=richard@nod.at \
--cc=sparclinux@vger.kernel.org \
--cc=sshegde@linux.ibm.com \
--cc=svens@linux.ibm.com \
--cc=tglx@kernel.org \
--cc=tsbogend@alpha.franken.de \
--cc=vgupta@kernel.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox