[PATCH] prctl: document new seccomp options

[PATCH] prctl: document new seccomp options

[Shawn Landden]

---
 man2/prctl.2 |   71 +++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 55 insertions(+), 16 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..383e2a8 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -45,7 +45,7 @@
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
-.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
+.BR PR_SET_SECCOMP
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with 
+.BR CONFIG_SECCOMP
+or 
+.BR SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,11 +277,20 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program of type
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+as a non-root user, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
 Return the secure computing mode of the calling thread.
@@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -579,6 +614,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,7 +632,7 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
 .TP
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] prctl: document new seccomp options

[shawn]

[-- Attachment #1: Type: text/plain, Size: 4343 bytes --]

Version with in-source changelog updated

On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote: 
> ---
>  man2/prctl.2 |   71 +++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 55 insertions(+), 16 deletions(-)
> 
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
>  .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
>  .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
>  .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
>  prctl \- operations on a process
>  .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
>  in the location pointed to by
>  .IR "(int\ *) arg2" .
>  .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them.  This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work.  Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege.  So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
>  .\" See http://thread.gmane.org/gmane.linux.kernel/542632
>  .\" [PATCH 0 of 2] seccomp updates
>  .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with 
> +.BR CONFIG_SECCOMP
> +or 
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
>  .BR read (2),
>  .BR write (2),
>  .BR _exit (2),
> @@ -249,11 +277,20 @@ and
>  Other system calls result in the delivery of a
>  .BR SIGKILL
>  signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
>  .TP
>  .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
>  Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
>  call will cause a
>  .B SIGKILL
>  signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
>  .TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
>  .BR PR_MCE_KILL_GET
>  or
>  .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
>  and unused
>  .BR prctl ()
>  arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
>  is
>  .BR PR_SET_SECCOMP
>  or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
>  and the kernel was not configured with
>  .BR CONFIG_SECCOMP .
>  .TP


-- 
-Shawn Landden

[-- Attachment #2: 0001-prctl-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 4226 bytes --]

>From ac7dcfc5e06f79e9200288c2312f763f9ab65432 Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl: document new seccomp options

---
 man2/prctl.2 |   71 +++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 55 insertions(+), 16 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..383e2a8 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -45,7 +45,7 @@
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
-.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
+.BR PR_SET_SECCOMP
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with 
+.BR CONFIG_SECCOMP
+or 
+.BR SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,11 +277,20 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program of type
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+as a non-root user, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
 Return the secure computing mode of the calling thread.
@@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -579,6 +614,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,7 +632,7 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
 .TP
-- 
1.7.9.5

Re: [PATCH] prctl: document new seccomp options

[shawn]

[-- Attachment #1: Type: text/plain, Size: 4404 bytes --]

more thorough --

where should
#include <linux/seccomp.h>

be specified as needed for some constants?

On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote: 
> ---
>  man2/prctl.2 |   71 +++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 55 insertions(+), 16 deletions(-)
> 
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
>  .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
>  .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
>  .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
>  prctl \- operations on a process
>  .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
>  in the location pointed to by
>  .IR "(int\ *) arg2" .
>  .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them.  This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work.  Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege.  So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
>  .\" See http://thread.gmane.org/gmane.linux.kernel/542632
>  .\" [PATCH 0 of 2] seccomp updates
>  .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with 
> +.BR CONFIG_SECCOMP
> +or 
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
>  .BR read (2),
>  .BR write (2),
>  .BR _exit (2),
> @@ -249,11 +277,20 @@ and
>  Other system calls result in the delivery of a
>  .BR SIGKILL
>  signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
>  .TP
>  .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
>  Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
>  call will cause a
>  .B SIGKILL
>  signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
>  .TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
>  .BR PR_MCE_KILL_GET
>  or
>  .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
>  and unused
>  .BR prctl ()
>  arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
>  is
>  .BR PR_SET_SECCOMP
>  or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
>  and the kernel was not configured with
>  .BR CONFIG_SECCOMP .
>  .TP


-- 
-Shawn Landden

[-- Attachment #2: 0001-prctl.2-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 5603 bytes --]

>From 038f59ce3c372cac1d7a9dc56ef30831ef58fc0b Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl.2: document new seccomp options

the seccomp stuff requires
But I am not sure where/how to specify that.
---
 man2/prctl.2 |   98 +++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 73 insertions(+), 25 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..cf0272e 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
 .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
 .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
 .\"				PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
 .\"
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +234,44 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,24 +280,35 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program of type
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+as a non-root user, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
 .BR prctl ()
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +593,7 @@ On success,
 .BR PR_GET_TIMING ,
 .BR PR_GET_SECUREBITS ,
 .BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
 and (if it returns)
 .BR PR_GET_SECCOMP
 return the nonnegative values described above.
@@ -579,6 +622,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,9 +640,15 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
 .TP
 .B EINVAL
 .I option
@@ -603,11 +656,6 @@ is
 .BR PR_SET_MM ,
 and one of the following is true
 .RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
 .IP *
 .I arg3
 is greater than
-- 
1.7.9.5

Re: [PATCH] prctl: document new seccomp options

[shawn]

[-- Attachment #1: Type: text/plain, Size: 4326 bytes --]

even more documentation

On Fri, 2012-08-03 at 20:28 -0700, Shawn Landden wrote: 
> ---
>  man2/prctl.2 |   71 +++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 55 insertions(+), 16 deletions(-)
> 
> diff --git a/man2/prctl.2 b/man2/prctl.2
> index eb53aa8..383e2a8 100644
> --- a/man2/prctl.2
> +++ b/man2/prctl.2
> @@ -45,7 +45,7 @@
>  .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
>  .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
>  .\"
> -.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
> +.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
>  .SH NAME
>  prctl \- operations on a process
>  .SH SYNOPSIS
> @@ -231,16 +231,44 @@ Return the current value of the parent process death signal,
>  in the location pointed to by
>  .IR "(int\ *) arg2" .
>  .TP
> -.BR PR_SET_SECCOMP " (since Linux 2.6.23)"
> +.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
> +After being set, operations that grant new privileges (i.e. execve)
> +will either fail or not grant them.  This affects suid/sgid,
> +file capabilities, and LSMs.
> +
> +Operations that merely manipulate or drop existing privileges (setresuid,
> +capset, etc.) will still work.  Drop those privileges if you want them gone.
> +
> +Changing LSM security domain is considered a new privilege.  So, for example,
> +asking selinux for a specific new context (e.g. with runcon) will result
> +in execve returning -EPERM. See
> +.IR Documentation/prctl/no_new_privs.txt
> +for more details.
> +.TP
> +.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
> +Return the no_new_privs status of the calling thread. Returns 1 if set and 0
> +if not set.
> +.TP
> +.BR PR_SET_SECCOMP
>  .\" See http://thread.gmane.org/gmane.linux.kernel/542632
>  .\" [PATCH 0 of 2] seccomp updates
>  .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
> -Set the secure computing mode for the calling thread.
> -In the current implementation,
> -.IR arg2
> -must be 1.
> -After the secure computing mode has been set to 1,
> -the only system calls that the thread is permitted to make are
> +Set the secure computing mode for the calling thread. Secure computing mode is
> +useful for number-crunching applications
> +that may need to execute untrusted byte code,
> +perhaps obtained by reading from a pipe or socket.
> +These operations are only available
> +if the kernel is configured with 
> +.BR CONFIG_SECCOMP
> +or 
> +.BR SECCOMP_FILTER
> +enabled, respectively. The value in
> +.I arg2
> +is one of the options below.
> +.RS
> +.TP
> +.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
> +The only system calls that the thread is permitted to make are
>  .BR read (2),
>  .BR write (2),
>  .BR _exit (2),
> @@ -249,11 +277,20 @@ and
>  Other system calls result in the delivery of a
>  .BR SIGKILL
>  signal.
> -Secure computing mode is useful for number-crunching applications
> -that may need to execute untrusted byte code,
> -perhaps obtained by reading from a pipe or socket.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
> +.TP
> +.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
> +Filter syscalls based on a user supplied program of type
> +.BR "struct seccomp_data"
> +in
> +.IR arg3 .
> +In order to use
> +.BR SECCOMP_MODE_FILTER
> +as a non-root user, you must
> +first set
> +.BR PR_SET_NO_NEW_PRIVS
> +to 1.
> +
> +.RE
>  .TP
>  .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
>  Return the secure computing mode of the calling thread.
> @@ -265,8 +302,6 @@ if the caller is in secure computing mode, then the
>  call will cause a
>  .B SIGKILL
>  signal to be sent to the process.
> -This operation is only available
> -if the kernel is configured with CONFIG_SECCOMP enabled.
>  .TP
>  .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
>  Set the "securebits" flags of the calling thread to the value supplied in
> @@ -579,6 +614,10 @@ or
>  .BR PR_MCE_KILL_GET
>  or
>  .BR PR_SET_MM ,
> +or
> +.BR PR_SET_NO_NEW_PRIVS ,
> +or
> +.BR PR_GET_NO_NEW_PRIVS ,
>  and unused
>  .BR prctl ()
>  arguments were not specified as zero.
> @@ -593,7 +632,7 @@ is not valid value for this
>  is
>  .BR PR_SET_SECCOMP
>  or
> -.BR PR_SET_SECCOMP ,
> +.BR PR_GET_SECCOMP ,
>  and the kernel was not configured with
>  .BR CONFIG_SECCOMP .
>  .TP


-- 
-Shawn Landden

[-- Attachment #2: 0001-prctl.2-document-new-seccomp-options.patch --]
[-- Type: text/x-patch, Size: 6342 bytes --]

>From 72638832226da22d787344d97155005ceb521ee5 Mon Sep 17 00:00:00 2001
From: Shawn Landden <shawnlandden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Fri, 3 Aug 2012 20:28:00 -0700
Subject: [PATCH] prctl.2: document new seccomp options

the seccomp stuff requires
 #include <linux/seccomp.h>
But I am not sure where/how to specify that.
---
 man2/prctl.2 |  125 ++++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 100 insertions(+), 25 deletions(-)

diff --git a/man2/prctl.2 b/man2/prctl.2
index eb53aa8..0b65fbb 100644
--- a/man2/prctl.2
+++ b/man2/prctl.2
@@ -41,11 +41,14 @@
 .\" 2012-04 Cyrill Gorcunov, Document PR_SET_MM
 .\" 2012-04-25 Michael Kerrisk, Document PR_TASK_PERF_EVENTS_DISABLE and
 .\"				PR_TASK_PERF_EVENTS_ENABLE
+.\" 2012-08-03 Shawn Landden, Document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS,
+.\"       SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
+.\"       (thx Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> 259e5e6c)
 .\"
 .\" FIXME: Document PR_SET_TIMERSLACK and PR_GET_TIMERSLACK (new in 2.6.28)
 .\"		commit 6976675d94042fbd446231d1bd8b7de71a980ada
 .\"
-.TH PRCTL 2 2012-04-23 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2012-08-03 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -231,16 +234,44 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_NO_NEW_PRIVS " (since Linux 3.4)"
+After being set, operations that grant new privileges (i.e. execve)
+will either fail or not grant them.  This affects suid/sgid,
+file capabilities, and LSMs.
+
+Operations that merely manipulate or drop existing privileges (setresuid,
+capset, etc.) will still work.  Drop those privileges if you want them gone.
+
+Changing LSM security domain is considered a new privilege.  So, for example,
+asking selinux for a specific new context (e.g. with runcon) will result
+in execve returning -EPERM. See
+.IR Documentation/prctl/no_new_privs.txt
+for more details.
+.TP
+.BR PR_GET_NO_NEW_PRIVS " (since Linux 3.4)"
+Return the no_new_privs status of the calling thread. Returns 1 if set and 0
+if not set.
+.TP
 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates
 .\" andrea-Vyt77T80VFVWk0Htik3J/w@public.gmane.org
-Set the secure computing mode for the calling thread.
-In the current implementation,
-.IR arg2
-must be 1.
-After the secure computing mode has been set to 1,
-the only system calls that the thread is permitted to make are
+Set the secure computing mode for the calling thread. Secure computing mode is
+useful for number-crunching applications
+that may need to execute untrusted byte code,
+perhaps obtained by reading from a pipe or socket.
+These operations are only available
+if the kernel is configured with
+.BR CONFIG_SECCOMP
+or
+.BR CONFIG_SECCOMP_FILTER
+enabled, respectively. The value in
+.I arg2
+is one of the options below.
+.RS
+.TP
+.BR SECCOMP_MODE_STRICT
+The only system calls that the thread is permitted to make are
 .BR read (2),
 .BR write (2),
 .BR _exit (2),
@@ -249,24 +280,38 @@ and
 Other system calls result in the delivery of a
 .BR SIGKILL
 signal.
-Secure computing mode is useful for number-crunching applications
-that may need to execute untrusted byte code,
-perhaps obtained by reading from a pipe or socket.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+.TP
+.\" See https://lwn.net/Articles/475043/
+.BR SECCOMP_MODE_FILTER " (since Linux 3.5 on x86)"
+Filter syscalls based on a user supplied program in the format of
+.BR "struct seccomp_data"
+in
+.IR arg3 .
+In order to use
+.BR SECCOMP_MODE_FILTER
+without the
+.BR CAP_SYS_ADMIN
+capability, you must
+first set
+.BR PR_SET_NO_NEW_PRIVS
+to 1.
+
+.RE
 .TP
 .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
-Return the secure computing mode of the calling thread.
-Not very useful for the current implementation (mode equals 1),
-but may be useful for other possible future modes:
-if the caller is not in secure computing mode, this operation returns 0;
-if the caller is in secure computing mode, then the
+Return the secure computing mode of the calling thread. Returns
+.BR SECCOMP_MODE_DISABLED ,
+.BR SECCOMP_MODE_STRICT ,
+or
+.BR SECCOMP_MODE_FILTER .
+If the caller is in secure computing mode, then the
 .BR prctl ()
 call will cause a
 .B SIGKILL
 signal to be sent to the process.
-This operation is only available
-if the kernel is configured with CONFIG_SECCOMP enabled.
+This operation is only available if the kernel is configured with
+.BR CONFIG_SECCOMP
+enabled.
 .TP
 .BR PR_SET_SECUREBITS " (since Linux 2.6.26)"
 Set the "securebits" flags of the calling thread to the value supplied in
@@ -551,6 +596,7 @@ On success,
 .BR PR_GET_TIMING ,
 .BR PR_GET_SECUREBITS ,
 .BR PR_MCE_KILL_GET ,
+.BR PR_GET_NO_NEW_PRIVS ,
 and (if it returns)
 .BR PR_GET_SECCOMP
 return the nonnegative values described above.
@@ -562,6 +608,19 @@ On error, \-1 is returned, and
 is set appropriately.
 .SH ERRORS
 .TP
+.B EACCES
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+the caller does not have the
+.BR CAP_SYS_ADMIN
+capability, and
+.BR PR_SET_NO_NEW_PRIVS
+has not been set as documented above.
+.TP
 .B EFAULT
 .I arg2
 is an invalid address.
@@ -579,6 +638,10 @@ or
 .BR PR_MCE_KILL_GET
 or
 .BR PR_SET_MM ,
+or
+.BR PR_SET_NO_NEW_PRIVS ,
+or
+.BR PR_GET_NO_NEW_PRIVS ,
 and unused
 .BR prctl ()
 arguments were not specified as zero.
@@ -593,9 +656,15 @@ is not valid value for this
 is
 .BR PR_SET_SECCOMP
 or
-.BR PR_SET_SECCOMP ,
+.BR PR_GET_SECCOMP ,
 and the kernel was not configured with
 .BR CONFIG_SECCOMP .
+(or
+.BR CONFIG_SECCOMP_FILTER
+if
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER )
 .TP
 .B EINVAL
 .I option
@@ -603,11 +672,6 @@ is
 .BR PR_SET_MM ,
 and one of the following is true
 .RS
-.IP * 3
-.I arg4
-or
-.I arg5
-is nonzero;
 .IP *
 .I arg3
 is greater than
@@ -637,6 +701,17 @@ or specifies a value that would cause the
 resource limit to be exceeded.
 .RE
 .TP
+.B EINVAL
+.I option
+is
+.BR PR_SET_SECCOMP ,
+.I arg2
+is
+.BR SECCOMP_MODE_FILTER ,
+and
+.I arg3
+is not a valid filter program.
+.TP
 .B EPERM
 .I option
 is
-- 
1.7.9.5