SUPERH platform development
 help / color / mirror / Atom feed
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: Ada Couprie Diaz <ada.coupriediaz@arm.com>,
	oleg@redhat.com, richard.henderson@linaro.org,
	mattst88@gmail.com, linmag7@gmail.com, linux@armlinux.org.uk,
	catalin.marinas@arm.com, will@kernel.org, kees@kernel.org,
	guoren@kernel.org, chenhuacai@kernel.org, kernel@xen0n.name,
	geert@linux-m68k.org, tsbogend@alpha.franken.de,
	James.Bottomley@HansenPartnership.com, deller@gmx.de,
	maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
	chleroy@kernel.org, pjw@kernel.org, palmer@dabbelt.com,
	aou@eecs.berkeley.edu, alex@ghiti.fr, hca@linux.ibm.com,
	gor@linux.ibm.com, agordeev@linux.ibm.com,
	borntraeger@linux.ibm.com, svens@linux.ibm.com,
	ysato@users.sourceforge.jp, dalias@libc.org,
	glaubitz@physik.fu-berlin.de, richard@nod.at,
	anton.ivanov@cambridgegreys.com, johannes@sipsolutions.net,
	luto@kernel.org, tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
	dave.hansen@linux.intel.com, hpa@zytor.com, chris@zankel.net,
	jcmvbkbc@gmail.com, peterz@infradead.org, wad@chromium.org,
	thuth@redhat.com, mark.rutland@arm.com, kevin.brodsky@arm.com,
	linusw@kernel.org, yeoreum.yun@arm.com, song@kernel.org,
	james.morse@arm.com, anshuman.khandual@arm.com,
	broonie@kernel.org, liqiang01@kylinos.cn, pengcan@kylinos.cn,
	ryan.roberts@arm.com, yangtiezhu@loongson.cn,
	sshegde@linux.ibm.com, mchauras@linux.ibm.com,
	austin.kim@lge.com, jchrist@linux.ibm.com, arnd@arndb.de,
	thomas.weissschuh@linutronix.de, sohil.mehta@intel.com,
	andrew.cooper3@citrix.com, jgross@suse.com, kas@kernel.org,
	x86@kernel.org, linux-alpha@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
	linux-csky@vger.kernel.org, loongarch@lists.linux.dev,
	linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org,
	linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
	linux-sh@vger.kernel.org, linux-um@lists.infradead.org
Subject: Re: [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean
Date: Tue, 30 Jun 2026 17:37:39 +0100	[thread overview]
Message-ID: <b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com> (raw)
In-Reply-To: <20260629130616.642022-2-ruanjinjie@huawei.com>

Hi Jinjie,

On 29/06/2026 14:05, Jinjie Ruan wrote:
> The return value of __secure_computing() currently uses 0 to indicate
> that a system call should be allowed, and -1 to indicate that it should
> be blocked/killed. This 0/-1 pattern is non-intuitive for a security
> check function and makes the control flow at the call sites less readable.
>
> Furthermore, any potential future changes to these return values would
> require a high-risk, error-prone audit of all its users across different
> architectures.
>
> Sanitize this logic by converting the return type of __secure_computing()
> to a proper boolean, where 'true' explicitly means 'allow' and 'false'
> means 'fail/deny'.
>
> Update all the two dozen or so call sites across the tree to align with
> this new boolean semantic. No functional changes are intended, as the
> callers still return -1 to the lower-level assembly entry code upon
> seccomp denial.
Would it be relevant to mention that this fixes the unsound return value of
`syscall_trace_enter()` in generic entry, which motivated the patch 
initially[0] ?
> Suggested-by: Thomas Gleixner <tglx@kernel.org>
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>   arch/alpha/kernel/ptrace.c            |  2 +-
>   arch/arm/kernel/ptrace.c              |  2 +-
>   arch/arm64/kernel/ptrace.c            |  2 +-
>   arch/csky/kernel/ptrace.c             |  2 +-
>   arch/m68k/kernel/ptrace.c             |  2 +-
>   arch/mips/kernel/ptrace.c             |  2 +-
>   arch/parisc/kernel/ptrace.c           |  2 +-
>   arch/sh/kernel/ptrace_32.c            |  2 +-
>   arch/um/kernel/skas/syscall.c         |  2 +-
>   arch/x86/entry/vsyscall/vsyscall_64.c |  2 +-
>   arch/xtensa/kernel/ptrace.c           |  3 +--
>   include/linux/entry-common.h          |  7 +++---
>   include/linux/seccomp.h               | 10 ++++----
>   kernel/seccomp.c                      | 34 +++++++++++++--------------
>   14 files changed, 36 insertions(+), 38 deletions(-)

This is missing an update to the Kconfig documentation, a possible
suggestion :

diff --git a/arch/Kconfig b/arch/Kconfig
index fa7507ac8e13..9e3d40088afb 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -637,7 +637,7 @@ config HAVE_ARCH_SECCOMP_FILTER
           - syscall_set_return_value()
           - SIGSYS siginfo_t support
           - secure_computing is called from a ptrace_event()-safe context
-         - secure_computing return value is checked and a return value of -1
+         - secure_computing return value is checked and if false
             results in the system call being skipped immediately.
           - seccomp syscall wired up
           - if !HAVE_SPARSE_SYSCALL_NR, have SECCOMP_ARCH_NATIVE,

> [...]
> diff --git a/include/linux/entry-common.h b/include/linux/entry-common.h
> index 416a3352261f..3f66320e46d3 100644
> --- a/include/linux/entry-common.h
> +++ b/include/linux/entry-common.h
> @@ -100,9 +100,8 @@ static __always_inline long syscall_trace_enter(struct pt_regs *regs, unsigned l
>   
>   	/* Do seccomp after ptrace, to catch any tracer changes. */
>   	if (work & SYSCALL_WORK_SECCOMP) {
> -		ret = __secure_computing();
> -		if (ret == -1L)
> -			return ret;
> +		if (!__secure_computing())
> +			return -1L;
>   	}
>   
>   	/* Either of the above might have changed the syscall number */
> @@ -113,7 +112,7 @@ static __always_inline long syscall_trace_enter(struct pt_regs *regs, unsigned l
>   
>   	syscall_enter_audit(regs, syscall);
>   
> -	return ret ? : syscall;
> +	return syscall;
>   }
> [...]

Otherwise this feels like a more appropriate change with regards to
"safeguarding against new `secure_computing()` return value" !

With the updated Kconfig :
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>

Thanks,
Ada

[0]: 
https://lore.kernel.org/r/20260511092103.1974980-2-ruanjinjie@huawei.com


  reply	other threads:[~2026-06-30 16:37 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 13:05 [PATCH v16 00/18] arm64: entry: Convert to Generic Entry Jinjie Ruan
2026-06-29 13:05 ` [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean Jinjie Ruan
2026-06-30 16:37   ` Ada Couprie Diaz [this message]
2026-07-03  7:51   ` Michal Suchánek
2026-07-03  9:48     ` Thomas Gleixner
2026-07-03 10:00       ` Mark Rutland
2026-07-03 10:27         ` Michal Suchánek
2026-07-03 11:59           ` Kevin Brodsky
2026-07-03 20:52             ` Thomas Gleixner
2026-07-03 21:01               ` H. Peter Anvin
2026-07-03 21:32         ` Linus Walleij
2026-06-29 13:06 ` [PATCH v16 02/18] syscall_user_dispatch: Introduce a weak fallback for arch_syscall_is_vdso_sigreturn() Jinjie Ruan
2026-07-03 11:13   ` Mukesh Kumar Chaurasiya
2026-07-03 11:43   ` Mark Rutland
2026-06-29 13:06 ` [PATCH v16 03/18] arm64: ptrace: Pass thread flags to syscall_trace_enter/exit() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 04/18] arm64: ptrace: Use syscall_get_nr() helper for syscall_trace_enter() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 05/18] arm64: ptrace: Expand secure_computing() in place Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 06/18] arm64: ptrace: Use syscall_get_arguments() helper for audit Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 07/18] arm64: ptrace: Protect rseq_syscall() from tracer PC modifications Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 08/18] arm64: ptrace: Rename syscall_trace_exit() to syscall_exit_work() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 09/18] arm64: syscall: Rework the syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 10/18] arm64: ptrace: Extract syscall_exit_to_user_mode_work() helper Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 11/18] arm64: ptrace: Align syscall exit work semantics with generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 12/18] arm64: syscall: Use exit-specific flags check in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 13/18] arm64: syscall: Simplify el0_svc_common() syscall exit path Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 14/18] arm64: syscall: Simplify syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 15/18] arm64: ptrace: Skip syscall exit reporting for PTRACE_SYSEMU_SINGLESTEP Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 16/18] arm64: entry: Convert to generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 17/18] arm64: Inline el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 18/18] arm64: vdso: Expose sigreturn address on vdso to the kernel Jinjie Ruan
2026-06-30 15:32   ` Thomas Weißschuh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com \
    --to=ada.coupriediaz@arm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=agordeev@linux.ibm.com \
    --cc=alex@ghiti.fr \
    --cc=andrew.cooper3@citrix.com \
    --cc=anshuman.khandual@arm.com \
    --cc=anton.ivanov@cambridgegreys.com \
    --cc=aou@eecs.berkeley.edu \
    --cc=arnd@arndb.de \
    --cc=austin.kim@lge.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=bp@alien8.de \
    --cc=broonie@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=chenhuacai@kernel.org \
    --cc=chleroy@kernel.org \
    --cc=chris@zankel.net \
    --cc=dalias@libc.org \
    --cc=dave.hansen@linux.intel.com \
    --cc=deller@gmx.de \
    --cc=geert@linux-m68k.org \
    --cc=glaubitz@physik.fu-berlin.de \
    --cc=gor@linux.ibm.com \
    --cc=guoren@kernel.org \
    --cc=hca@linux.ibm.com \
    --cc=hpa@zytor.com \
    --cc=james.morse@arm.com \
    --cc=jchrist@linux.ibm.com \
    --cc=jcmvbkbc@gmail.com \
    --cc=jgross@suse.com \
    --cc=johannes@sipsolutions.net \
    --cc=kas@kernel.org \
    --cc=kees@kernel.org \
    --cc=kernel@xen0n.name \
    --cc=kevin.brodsky@arm.com \
    --cc=linmag7@gmail.com \
    --cc=linusw@kernel.org \
    --cc=linux-alpha@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-csky@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-m68k@lists.linux-m68k.org \
    --cc=linux-mips@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-parisc@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-sh@vger.kernel.org \
    --cc=linux-um@lists.infradead.org \
    --cc=linux@armlinux.org.uk \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=liqiang01@kylinos.cn \
    --cc=loongarch@lists.linux.dev \
    --cc=luto@kernel.org \
    --cc=maddy@linux.ibm.com \
    --cc=mark.rutland@arm.com \
    --cc=mattst88@gmail.com \
    --cc=mchauras@linux.ibm.com \
    --cc=mingo@redhat.com \
    --cc=mpe@ellerman.id.au \
    --cc=npiggin@gmail.com \
    --cc=oleg@redhat.com \
    --cc=palmer@dabbelt.com \
    --cc=pengcan@kylinos.cn \
    --cc=peterz@infradead.org \
    --cc=pjw@kernel.org \
    --cc=richard.henderson@linaro.org \
    --cc=richard@nod.at \
    --cc=ruanjinjie@huawei.com \
    --cc=ryan.roberts@arm.com \
    --cc=sohil.mehta@intel.com \
    --cc=song@kernel.org \
    --cc=sshegde@linux.ibm.com \
    --cc=svens@linux.ibm.com \
    --cc=tglx@kernel.org \
    --cc=thomas.weissschuh@linutronix.de \
    --cc=thuth@redhat.com \
    --cc=tsbogend@alpha.franken.de \
    --cc=wad@chromium.org \
    --cc=will@kernel.org \
    --cc=x86@kernel.org \
    --cc=yangtiezhu@loongson.cn \
    --cc=yeoreum.yun@arm.com \
    --cc=ysato@users.sourceforge.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox