* Re: [PATCH] prctl: document new seccomp options
[not found] ` <1344050926-2810-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2012-08-04 3:37 ` shawn
2012-08-04 18:39 ` shawn
2012-08-04 19:20 ` shawn
2 siblings, 0 replies; 4+ messages in thread
From: shawn @ 2012-08-04 3:37 UTC (permalink / raw)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w; +Cc: linux-man-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 4343 bytes --]
Version with in-source changelog updated
On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote:
> ---
> man2/prctl.2 | 71 +++++++++++++++++++++++++++++++++++++++++++++-------------
> 1 file changed, 55 insertions(+), 16 deletions(-)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
> .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
> .\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
> .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
> .SH NAME
> prctl \- operations on a process
> .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
> in the location pointed to by
> .IR "(int\ *) arg2" .
> .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them. This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work. Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege. So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
> .\" See http://thread.gmane.org/gmane.linux.kernel/542632
> .\" [PATCH 0 of 2] seccomp updates
> .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with
> +.BR CONFIG_SECCOMP
> +or
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
> .BR read (2),
> .BR write (2),
> .BR _exit (2),
> @@ -249,11 +277,20 @@ and
> Other system calls result in the delivery of a
> .BR SIGKILL
> signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
> .TP
> .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
> Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
> call will cause a
> .B SIGKILL
> signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> .TP
> .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
> Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
> .BR PR_MCE_KILL_GET
> or
> .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
> and unused
> .BR prctl ()
> arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
> is
> .BR PR_SET_SECCOMP
> or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
> and the kernel was not configured with
> .BR CONFIG_SECCOMP .
> .TP
--
-Shawn Landden
[-- Attachment #2: 0001-prctl-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 4226 bytes --]
>From ac7dcfc5e06f79e9200288c2312f763f9ab65432 Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl: document new seccomp options
---
man2/prctl.2 | 71 +++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 55 insertions(+), 16 deletions(-)
diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..383e2a8 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -45,7 +45,7 @@
.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
.\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
.\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
.SH NAME
prctl \- operations on a process
.SH SYNOPSIS
@@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
in the location pointed to by
.IR "(int\ *) arg2" .
.TP
-.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them. This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work. Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege. So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
+.BR PR_SET_SECCOMP
.\" See http://thread.gmane.org/gmane.linux.kernel/542632
.\" [PATCH 0 of 2] seccomp updates
.\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
+The only system calls that the thread is permitted to make are
.BR read (2),
.BR write (2),
.BR _exit (2),
@@ -249,11 +277,20 @@ and
Other system calls result in the delivery of a
.BR SIGKILL
signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program of type
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+as a non-root user, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
.TP
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
Return the secure computing mode of the calling thread.
@@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
call will cause a
.B SIGKILL
signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
.TP
.BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
Set the "securebits" flags of the calling thread to the value supplied in
@@ -579,6 +614,10 @@ or
.BR PR_MCE_KILL_GET
or
.BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
and unused
.BR prctl ()
arguments were not specified as zero.
@@ -593,7 +632,7 @@ is not valid value for this
is
.BR PR_SET_SECCOMP
or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
and the kernel was not configured with
.BR CONFIG_SECCOMP .
.TP
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] prctl: document new seccomp options
[not found] ` <1344050926-2810-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-04 3:37 ` shawn
@ 2012-08-04 18:39 ` shawn
2012-08-04 19:20 ` shawn
2 siblings, 0 replies; 4+ messages in thread
From: shawn @ 2012-08-04 18:39 UTC (permalink / raw)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w; +Cc: linux-man-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 4404 bytes --]
more thorough --
where should
#include <linux/seccomp.h>
be specified as needed for some constants?
On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote:
> ---
> man2/prctl.2 | 71 +++++++++++++++++++++++++++++++++++++++++++++-------------
> 1 file changed, 55 insertions(+), 16 deletions(-)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
> .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
> .\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
> .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
> .SH NAME
> prctl \- operations on a process
> .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
> in the location pointed to by
> .IR "(int\ *) arg2" .
> .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them. This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work. Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege. So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
> .\" See http://thread.gmane.org/gmane.linux.kernel/542632
> .\" [PATCH 0 of 2] seccomp updates
> .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with
> +.BR CONFIG_SECCOMP
> +or
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
> .BR read (2),
> .BR write (2),
> .BR _exit (2),
> @@ -249,11 +277,20 @@ and
> Other system calls result in the delivery of a
> .BR SIGKILL
> signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
> .TP
> .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
> Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
> call will cause a
> .B SIGKILL
> signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> .TP
> .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
> Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
> .BR PR_MCE_KILL_GET
> or
> .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
> and unused
> .BR prctl ()
> arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
> is
> .BR PR_SET_SECCOMP
> or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
> and the kernel was not configured with
> .BR CONFIG_SECCOMP .
> .TP
--
-Shawn Landden
[-- Attachment #2: 0001-prctl.2-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 5603 bytes --]
>From 038f59ce3c372cac1d7a9dc56ef30831ef58fc0b Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl.2: document new seccomp options
the seccomp stuff requires
But I am not sure where/how to specify that.
---
man2/prctl.2 | 98 +++++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 73 insertions(+), 25 deletions(-)
diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..cf0272e 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
.\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
.\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
.\" PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\" SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\" (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
.\"
.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
.\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
.\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
.SH NAME
prctl \- operations on a process
.SH SYNOPSIS
@@ -231,16 +234,44 @@ Return the current value of the parent process death signal,
in the location pointed to by
.IR "(int\ *) arg2" .
.TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them. This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work. Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege. So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
.\" See http://thread.gmane.org/gmane.linux.kernel/542632
.\" [PATCH 0 of 2] seccomp updates
.\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
.BR read (2),
.BR write (2),
.BR _exit (2),
@@ -249,24 +280,35 @@ and
Other system calls result in the delivery of a
.BR SIGKILL
signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program of type
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+as a non-root user, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
.TP
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
.BR prctl ()
call will cause a
.B SIGKILL
signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
.TP
.BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +593,7 @@ On success,
.BR PR_GET_TIMING ,
.BR PR_GET_SECUREBITS ,
.BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
and (if it returns)
.BR PR_GET_SECCOMP
return the nonnegative values described above.
@@ -579,6 +622,10 @@ or
.BR PR_MCE_KILL_GET
or
.BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
and unused
.BR prctl ()
arguments were not specified as zero.
@@ -593,9 +640,15 @@ is not valid value for this
is
.BR PR_SET_SECCOMP
or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
and the kernel was not configured with
.BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
.TP
.B EINVAL
.I option
@@ -603,11 +656,6 @@ is
.BR PR_SET_MM ,
and one of the following is true
.RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
.IP *
.I arg3
is greater than
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] prctl: document new seccomp options
[not found] ` <1344050926-2810-1-git-send-email-shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-08-04 3:37 ` shawn
2012-08-04 18:39 ` shawn
@ 2012-08-04 19:20 ` shawn
2 siblings, 0 replies; 4+ messages in thread
From: shawn @ 2012-08-04 19:20 UTC (permalink / raw)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w; +Cc: linux-man-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 4326 bytes --]
even more documentation
On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote:
> ---
> man2/prctl.2 | 71 +++++++++++++++++++++++++++++++++++++++++++++-------------
> 1 file changed, 55 insertions(+), 16 deletions(-)
>
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
> .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
> .\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
> .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
> .SH NAME
> prctl \- operations on a process
> .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
> in the location pointed to by
> .IR "(int\ *) arg2" .
> .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them. This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work. Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege. So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
> .\" See http://thread.gmane.org/gmane.linux.kernel/542632
> .\" [PATCH 0 of 2] seccomp updates
> .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with
> +.BR CONFIG_SECCOMP
> +or
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
> .BR read (2),
> .BR write (2),
> .BR _exit (2),
> @@ -249,11 +277,20 @@ and
> Other system calls result in the delivery of a
> .BR SIGKILL
> signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
> .TP
> .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
> Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
> call will cause a
> .B SIGKILL
> signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> .TP
> .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
> Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
> .BR PR_MCE_KILL_GET
> or
> .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
> and unused
> .BR prctl ()
> arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
> is
> .BR PR_SET_SECCOMP
> or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
> and the kernel was not configured with
> .BR CONFIG_SECCOMP .
> .TP
--
-Shawn Landden
[-- Attachment #2: 0001-prctl.2-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 6342 bytes --]
>From 72638832226da22d787344d97155005ceb521ee5 Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl.2: document new seccomp options
the seccomp stuff requires
#include <linux/seccomp.h>
But I am not sure where/how to specify that.
---
man2/prctl.2 | 125 ++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 100 insertions(+), 25 deletions(-)
diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..0b65fbb 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
.\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
.\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
.\" PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\" SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\" (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
.\"
.\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
.\" commit 6976675d94042fbd446231d1bd8b7de71a980ada
.\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
.SH NAME
prctl \- operations on a process
.SH SYNOPSIS
@@ -231,16 +234,44 @@ Return the current value of the parent process death signal,
in the location pointed to by
.IR "(int\ *) arg2" .
.TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them. This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work. Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege. So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
.\" See http://thread.gmane.org/gmane.linux.kernel/542632
.\" [PATCH 0 of 2] seccomp updates
.\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR CONFIG_SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
.BR read (2),
.BR write (2),
.BR _exit (2),
@@ -249,24 +280,38 @@ and
Other system calls result in the delivery of a
.BR SIGKILL
signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.\" See https://lwn.net/Articles/475043/
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program in the format of
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+without the
+.BR CAP_SYS_ADMIN
+capability, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
.TP
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
.BR prctl ()
call will cause a
.B SIGKILL
signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
.TP
.BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +596,7 @@ On success,
.BR PR_GET_TIMING ,
.BR PR_GET_SECUREBITS ,
.BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
and (if it returns)
.BR PR_GET_SECCOMP
return the nonnegative values described above.
@@ -562,6 +608,19 @@ On error, \-1 is returned, and
is set appropriately.
.SH ERRORS
.TP
+.B EACCES
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+the caller does not have the
+.BR CAP_SYS_ADMIN
+capability, and
+.BR PR_SET_NO_NEW_PRIVS
+has not been set as documented above.
+.TP
.B EFAULT
.I arg2
is an invalid address.
@@ -579,6 +638,10 @@ or
.BR PR_MCE_KILL_GET
or
.BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
and unused
.BR prctl ()
arguments were not specified as zero.
@@ -593,9 +656,15 @@ is not valid value for this
is
.BR PR_SET_SECCOMP
or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
and the kernel was not configured with
.BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
.TP
.B EINVAL
.I option
@@ -603,11 +672,6 @@ is
.BR PR_SET_MM ,
and one of the following is true
.RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
.IP *
.I arg3
is greater than
@@ -637,6 +701,17 @@ or specifies a value that would cause the
resource limit to be exceeded.
.RE
.TP
+.B EINVAL
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+and
+.I arg3
+is not a valid filter program.
+.TP
.B EPERM
.I option
is
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread