[PATCH 6.17 17/35] seccomp: passthrough uprobe systemcall without filtering

patches.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Jiri Olsa <jolsa@kernel.org>,
	"Peter Zijlstra (Intel)" <peterz@infradead.org>,
	Kees Cook <kees@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.17 17/35] seccomp: passthrough uprobe systemcall without filtering
Date: Fri, 31 Oct 2025 15:01:25 +0100	[thread overview]
Message-ID: <20251031140043.974667333@linuxfoundation.org> (raw)
In-Reply-To: <20251031140043.564670400@linuxfoundation.org>

6.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@kernel.org>

[ Upstream commit 89d1d8434d246c96309a6068dfcf9e36dc61227b ]

Adding uprobe as another exception to the seccomp filter alongside
with the uretprobe syscall.

Same as the uretprobe the uprobe syscall is installed by kernel as
replacement for the breakpoint exception and is limited to x86_64
arch and isn't expected to ever be supported in i386.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250720112133.244369-21-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/seccomp.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3bbfba30a777a..25f62867a16d9 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -741,6 +741,26 @@ seccomp_prepare_user_filter(const char __user *user_filter)
 }
 
 #ifdef SECCOMP_ARCH_NATIVE
+static bool seccomp_uprobe_exception(struct seccomp_data *sd)
+{
+#if defined __NR_uretprobe || defined __NR_uprobe
+#ifdef SECCOMP_ARCH_COMPAT
+	if (sd->arch == SECCOMP_ARCH_NATIVE)
+#endif
+	{
+#ifdef __NR_uretprobe
+		if (sd->nr == __NR_uretprobe)
+			return true;
+#endif
+#ifdef __NR_uprobe
+		if (sd->nr == __NR_uprobe)
+			return true;
+#endif
+	}
+#endif
+	return false;
+}
+
 /**
  * seccomp_is_const_allow - check if filter is constant allow with given data
  * @fprog: The BPF programs
@@ -758,13 +778,8 @@ static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog,
 		return false;
 
 	/* Our single exception to filtering. */
-#ifdef __NR_uretprobe
-#ifdef SECCOMP_ARCH_COMPAT
-	if (sd->arch == SECCOMP_ARCH_NATIVE)
-#endif
-		if (sd->nr == __NR_uretprobe)
-			return true;
-#endif
+	if (seccomp_uprobe_exception(sd))
+		return true;
 
 	for (pc = 0; pc < fprog->len; pc++) {
 		struct sock_filter *insn = &fprog->filter[pc];
@@ -1042,6 +1057,9 @@ static const int mode1_syscalls[] = {
 	__NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
 #ifdef __NR_uretprobe
 	__NR_uretprobe,
+#endif
+#ifdef __NR_uprobe
+	__NR_uprobe,
 #endif
 	-1, /* negative terminated */
 };
-- 
2.51.0

next prev parent reply	other threads:[~2025-10-31 14:05 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-31 14:01 [PATCH 6.17 00/35] 6.17.7-rc1 review Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 01/35] sched_ext: Move internal type and accessor definitions to ext_internal.h Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 02/35] sched_ext: Put event_stats_cpu in struct scx_sched_pcpu Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 03/35] sched_ext: Sync error_irq_work before freeing scx_sched Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 04/35] timekeeping: Fix aux clocks sysfs initialization loop bound Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 05/35] x86/bugs: Report correct retbleed mitigation status Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 06/35] x86/bugs: Qualify RETBLEED_INTEL_MSG Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 07/35] genirq/chip: Add buslock back in to irq_set_handler() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 08/35] genirq/manage: Add buslock back in to __disable_irq_nosync() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 09/35] genirq/manage: Add buslock back in to enable_irq() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 10/35] audit: record fanotify event regardless of presence of rules Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 11/35] EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 12/35] perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 13/35] perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 14/35] perf: Have get_perf_callchain() return NULL if crosstask and user are set Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 15/35] perf: Skip user unwind if the task is a kernel thread Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 16/35] EDAC: Fix wrong executable file modes for C source files Greg Kroah-Hartman
2025-10-31 14:01 ` Greg Kroah-Hartman [this message]
2025-10-31 14:01 ` [PATCH 6.17 18/35] sched_ext: Keep bypass on between enable failure and scx_disable_workfn() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 19/35] x86/bugs: Add attack vector controls for VMSCAPE Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 20/35] sched/fair: update_cfs_group() for throttled cfs_rqs Greg Kroah-Hartman
2025-11-02 11:07   ` Aaron Lu
2025-11-02 12:21     ` Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 21/35] x86/bugs: Fix reporting of LFENCE retpoline Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 22/35] EDAC/mc_sysfs: Increase legacy channel support to 16 Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 23/35] cpuset: Use new excpus for nocpu error check when enabling root partition Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 24/35] btrfs: abort transaction on specific error places when walking log tree Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 25/35] btrfs: abort transaction in the process_one_buffer() log tree walk callback Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 26/35] btrfs: zoned: return error from btrfs_zone_finish_endio() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 27/35] btrfs: zoned: refine extent allocator hint selection Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 28/35] btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 29/35] btrfs: always drop log root tree reference in btrfs_replay_log() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 30/35] btrfs: use level argument in log tree walk callback replay_one_buffer() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 31/35] btrfs: abort transaction if we fail to update inode in log replay dir fixup Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 32/35] btrfs: tree-checker: add inode extref checks Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 33/35] btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 34/35] sched_ext: Make qmap dump operation non-destructive Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 35/35] arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Greg Kroah-Hartman
2025-10-31 14:58 ` [PATCH 6.17 00/35] 6.17.7-rc1 review Ronald Warsow
2025-10-31 16:59 ` Peter Schneider
2025-10-31 17:06 ` Dileep malepu
2025-10-31 19:35 ` Jon Hunter
2025-10-31 20:39 ` Pavel Machek
2025-10-31 22:35 ` Shuah Khan
2025-10-31 22:45 ` Achill Gilgenast
2025-10-31 22:58 ` Justin Forbes
2025-11-01  9:10 ` Naresh Kamboju
2025-11-01  9:56 ` Jeffrin Thalakkottoor
2025-11-01 11:37 ` Ron Economos
2025-11-01 19:31 ` Brett A C Sheffield
2025-11-01 21:16 ` Miguel Ojeda
2025-11-02  2:58 ` Takeshi Ogasawara
2025-11-03 16:50 ` Florian Fainelli

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3bbfba30a777 dfblob:25f62867a16d )
 OR (
bs:"[PATCH 6.17 17/35] seccomp: passthrough uprobe systemcall without filtering" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251031140043.974667333@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jolsa@kernel.org \
    --cc=kees@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=peterz@infradead.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).