From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: Ada Couprie Diaz <ada.coupriediaz@arm.com>,
oleg@redhat.com, richard.henderson@linaro.org,
mattst88@gmail.com, linmag7@gmail.com, linux@armlinux.org.uk,
catalin.marinas@arm.com, will@kernel.org, kees@kernel.org,
guoren@kernel.org, chenhuacai@kernel.org, kernel@xen0n.name,
geert@linux-m68k.org, tsbogend@alpha.franken.de,
James.Bottomley@HansenPartnership.com, deller@gmx.de,
maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
chleroy@kernel.org, pjw@kernel.org, palmer@dabbelt.com,
aou@eecs.berkeley.edu, alex@ghiti.fr, hca@linux.ibm.com,
gor@linux.ibm.com, agordeev@linux.ibm.com,
borntraeger@linux.ibm.com, svens@linux.ibm.com,
ysato@users.sourceforge.jp, dalias@libc.org,
glaubitz@physik.fu-berlin.de, richard@nod.at,
anton.ivanov@cambridgegreys.com, johannes@sipsolutions.net,
luto@kernel.org, tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, chris@zankel.net,
jcmvbkbc@gmail.com, peterz@infradead.org, wad@chromium.org,
thuth@redhat.com, mark.rutland@arm.com, kevin.brodsky@arm.com,
linusw@kernel.org, yeoreum.yun@arm.com, song@kernel.org,
james.morse@arm.com, anshuman.khandual@arm.com,
broonie@kernel.org, liqiang01@kylinos.cn, pengcan@kylinos.cn,
ryan.roberts@arm.com, yangtiezhu@loongson.cn,
sshegde@linux.ibm.com, mchauras@linux.ibm.com,
austin.kim@lge.com, jchrist@linux.ibm.com, arnd@arndb.de,
thomas.weissschuh@linutronix.de, sohil.mehta@intel.com,
andrew.cooper3@citrix.com, jgross@suse.com, kas@kernel.org,
x86@kernel.org, linux-alpha@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
linux-csky@vger.kernel.org, loongarch@lists.linux.dev,
linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org,
linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
linux-sh@vger.kernel.org, linux-um@lists.infradead.org
Subject: Re: [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean
Date: Tue, 30 Jun 2026 17:37:39 +0100 [thread overview]
Message-ID: <b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com> (raw)
In-Reply-To: <20260629130616.642022-2-ruanjinjie@huawei.com>
Hi Jinjie,
On 29/06/2026 14:05, Jinjie Ruan wrote:
> The return value of __secure_computing() currently uses 0 to indicate
> that a system call should be allowed, and -1 to indicate that it should
> be blocked/killed. This 0/-1 pattern is non-intuitive for a security
> check function and makes the control flow at the call sites less readable.
>
> Furthermore, any potential future changes to these return values would
> require a high-risk, error-prone audit of all its users across different
> architectures.
>
> Sanitize this logic by converting the return type of __secure_computing()
> to a proper boolean, where 'true' explicitly means 'allow' and 'false'
> means 'fail/deny'.
>
> Update all the two dozen or so call sites across the tree to align with
> this new boolean semantic. No functional changes are intended, as the
> callers still return -1 to the lower-level assembly entry code upon
> seccomp denial.
Would it be relevant to mention that this fixes the unsound return value of
`syscall_trace_enter()` in generic entry, which motivated the patch
initially[0] ?
> Suggested-by: Thomas Gleixner <tglx@kernel.org>
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
> arch/alpha/kernel/ptrace.c | 2 +-
> arch/arm/kernel/ptrace.c | 2 +-
> arch/arm64/kernel/ptrace.c | 2 +-
> arch/csky/kernel/ptrace.c | 2 +-
> arch/m68k/kernel/ptrace.c | 2 +-
> arch/mips/kernel/ptrace.c | 2 +-
> arch/parisc/kernel/ptrace.c | 2 +-
> arch/sh/kernel/ptrace_32.c | 2 +-
> arch/um/kernel/skas/syscall.c | 2 +-
> arch/x86/entry/vsyscall/vsyscall_64.c | 2 +-
> arch/xtensa/kernel/ptrace.c | 3 +--
> include/linux/entry-common.h | 7 +++---
> include/linux/seccomp.h | 10 ++++----
> kernel/seccomp.c | 34 +++++++++++++--------------
> 14 files changed, 36 insertions(+), 38 deletions(-)
This is missing an update to the Kconfig documentation, a possible
suggestion :
diff --git a/arch/Kconfig b/arch/Kconfig
index fa7507ac8e13..9e3d40088afb 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -637,7 +637,7 @@ config HAVE_ARCH_SECCOMP_FILTER
- syscall_set_return_value()
- SIGSYS siginfo_t support
- secure_computing is called from a ptrace_event()-safe context
- - secure_computing return value is checked and a return value of -1
+ - secure_computing return value is checked and if false
results in the system call being skipped immediately.
- seccomp syscall wired up
- if !HAVE_SPARSE_SYSCALL_NR, have SECCOMP_ARCH_NATIVE,
> [...]
> diff --git a/include/linux/entry-common.h b/include/linux/entry-common.h
> index 416a3352261f..3f66320e46d3 100644
> --- a/include/linux/entry-common.h
> +++ b/include/linux/entry-common.h
> @@ -100,9 +100,8 @@ static __always_inline long syscall_trace_enter(struct pt_regs *regs, unsigned l
>
> /* Do seccomp after ptrace, to catch any tracer changes. */
> if (work & SYSCALL_WORK_SECCOMP) {
> - ret = __secure_computing();
> - if (ret == -1L)
> - return ret;
> + if (!__secure_computing())
> + return -1L;
> }
>
> /* Either of the above might have changed the syscall number */
> @@ -113,7 +112,7 @@ static __always_inline long syscall_trace_enter(struct pt_regs *regs, unsigned l
>
> syscall_enter_audit(regs, syscall);
>
> - return ret ? : syscall;
> + return syscall;
> }
> [...]
Otherwise this feels like a more appropriate change with regards to
"safeguarding against new `secure_computing()` return value" !
With the updated Kconfig :
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Thanks,
Ada
[0]:
https://lore.kernel.org/r/20260511092103.1974980-2-ruanjinjie@huawei.com
next prev parent reply other threads:[~2026-06-30 16:37 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 13:05 [PATCH v16 00/18] arm64: entry: Convert to Generic Entry Jinjie Ruan
2026-06-29 13:05 ` [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean Jinjie Ruan
2026-06-30 16:37 ` Ada Couprie Diaz [this message]
2026-07-03 7:51 ` Michal Suchánek
2026-07-03 9:48 ` Thomas Gleixner
2026-07-03 10:00 ` Mark Rutland
2026-07-03 10:27 ` Michal Suchánek
2026-07-03 11:59 ` Kevin Brodsky
2026-07-03 20:52 ` Thomas Gleixner
2026-07-03 21:01 ` H. Peter Anvin
2026-07-03 21:32 ` Linus Walleij
2026-06-29 13:06 ` [PATCH v16 02/18] syscall_user_dispatch: Introduce a weak fallback for arch_syscall_is_vdso_sigreturn() Jinjie Ruan
2026-07-03 11:13 ` Mukesh Kumar Chaurasiya
2026-07-03 11:43 ` Mark Rutland
2026-06-29 13:06 ` [PATCH v16 03/18] arm64: ptrace: Pass thread flags to syscall_trace_enter/exit() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 04/18] arm64: ptrace: Use syscall_get_nr() helper for syscall_trace_enter() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 05/18] arm64: ptrace: Expand secure_computing() in place Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 06/18] arm64: ptrace: Use syscall_get_arguments() helper for audit Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 07/18] arm64: ptrace: Protect rseq_syscall() from tracer PC modifications Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 08/18] arm64: ptrace: Rename syscall_trace_exit() to syscall_exit_work() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 09/18] arm64: syscall: Rework the syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 10/18] arm64: ptrace: Extract syscall_exit_to_user_mode_work() helper Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 11/18] arm64: ptrace: Align syscall exit work semantics with generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 12/18] arm64: syscall: Use exit-specific flags check in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 13/18] arm64: syscall: Simplify el0_svc_common() syscall exit path Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 14/18] arm64: syscall: Simplify syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 15/18] arm64: ptrace: Skip syscall exit reporting for PTRACE_SYSEMU_SINGLESTEP Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 16/18] arm64: entry: Convert to generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 17/18] arm64: Inline el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 18/18] arm64: vdso: Expose sigreturn address on vdso to the kernel Jinjie Ruan
2026-06-30 15:32 ` Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8f3b5cd-8d8a-4396-ba0c-011a83234dd9@arm.com \
--to=ada.coupriediaz@arm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=agordeev@linux.ibm.com \
--cc=alex@ghiti.fr \
--cc=andrew.cooper3@citrix.com \
--cc=anshuman.khandual@arm.com \
--cc=anton.ivanov@cambridgegreys.com \
--cc=aou@eecs.berkeley.edu \
--cc=arnd@arndb.de \
--cc=austin.kim@lge.com \
--cc=borntraeger@linux.ibm.com \
--cc=bp@alien8.de \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@kernel.org \
--cc=chleroy@kernel.org \
--cc=chris@zankel.net \
--cc=dalias@libc.org \
--cc=dave.hansen@linux.intel.com \
--cc=deller@gmx.de \
--cc=geert@linux-m68k.org \
--cc=glaubitz@physik.fu-berlin.de \
--cc=gor@linux.ibm.com \
--cc=guoren@kernel.org \
--cc=hca@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jchrist@linux.ibm.com \
--cc=jcmvbkbc@gmail.com \
--cc=jgross@suse.com \
--cc=johannes@sipsolutions.net \
--cc=kas@kernel.org \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevin.brodsky@arm.com \
--cc=linmag7@gmail.com \
--cc=linusw@kernel.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-csky@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=liqiang01@kylinos.cn \
--cc=loongarch@lists.linux.dev \
--cc=luto@kernel.org \
--cc=maddy@linux.ibm.com \
--cc=mark.rutland@arm.com \
--cc=mattst88@gmail.com \
--cc=mchauras@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=oleg@redhat.com \
--cc=palmer@dabbelt.com \
--cc=pengcan@kylinos.cn \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=richard.henderson@linaro.org \
--cc=richard@nod.at \
--cc=ruanjinjie@huawei.com \
--cc=ryan.roberts@arm.com \
--cc=sohil.mehta@intel.com \
--cc=song@kernel.org \
--cc=sshegde@linux.ibm.com \
--cc=svens@linux.ibm.com \
--cc=tglx@kernel.org \
--cc=thomas.weissschuh@linutronix.de \
--cc=thuth@redhat.com \
--cc=tsbogend@alpha.franken.de \
--cc=wad@chromium.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=yangtiezhu@loongson.cn \
--cc=yeoreum.yun@arm.com \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox