From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 273ECC43458 for ; Mon, 6 Jul 2026 02:41:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:CC:To:Subject:MIME-Version:Date: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=tLzU64zcWCpCqtKqdJfi72+8jOLqHwm6rAX9TlEnpBE=; b=BxrVJ660lHcxRD1qTzZevlEAe5 wHHyeSR4tjffV7AA7ogOwv7gXes3zyDCGajKPCMIB3ynieu9yvKOrWmMvTKhFqF8lwj4ieStWPV6a dUV1hNJE6uYPC3RMKnkddU/sK/GtRlueu1cKfXe9XZ/ttW5OobMAnlxGoKzwOMhwqAiFa++Lbuovp Y8OyaTx9YET/7951Cfhg7+H8mW6sTd75I1FOk+Tv93+Ap2ap5JUu3iinXvsCGSFzQYOkZAB1HibkL ApVvQU2UYIRs7Mb8sTcB/gzDHN2nvVndQ0XBX4agBuB4RaByDSoXaWww2ItpT2haehRkECrIbT09s cwcgixxA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wgZH7-0000000BPYX-0VDB; Mon, 06 Jul 2026 02:41:37 +0000 Received: from canpmsgout05.his.huawei.com ([113.46.200.220]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wgZH2-0000000BPXC-3guO for linux-um@lists.infradead.org; Mon, 06 Jul 2026 02:41:35 +0000 dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=tLzU64zcWCpCqtKqdJfi72+8jOLqHwm6rAX9TlEnpBE=; b=6kW0tTks7I4JJHDfBVjF8dEaDL2J766PtNvpdA6LbQQFpMfTqMznvyBNQeh9wxbc/IYSzn3ZU f2djYQecToR3moTosPPfqQapkuoiHKQieMFK0sbmqWZPM62GXgOZ9REO2UonKr5TBLANxucel3h 3onSIAA/PUlP2PaW4QIuLbU= Received: from mail.maildlp.com (unknown [172.19.163.0]) by canpmsgout05.his.huawei.com (SkyGuard) with ESMTPS id 4gtpL20K7Pz12LHv; Mon, 6 Jul 2026 10:32:42 +0800 (CST) Received: from dggpemf500011.china.huawei.com (unknown [7.185.36.131]) by mail.maildlp.com (Postfix) with ESMTPS id 836134057A; Mon, 6 Jul 2026 10:41:22 +0800 (CST) Received: from [10.67.109.254] (10.67.109.254) by dggpemf500011.china.huawei.com (7.185.36.131) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 6 Jul 2026 10:41:17 +0800 Message-ID: Date: Mon, 6 Jul 2026 10:41:16 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean To: Ada Couprie Diaz CC: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , References: <20260629130616.642022-1-ruanjinjie@huawei.com> <20260629130616.642022-2-ruanjinjie@huawei.com> From: Jinjie Ruan In-Reply-To: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.109.254] X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To dggpemf500011.china.huawei.com (7.185.36.131) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260705_194133_317438_8E9762B5 X-CRM114-Status: GOOD ( 23.51 ) X-BeenThere: linux-um@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-um" Errors-To: linux-um-bounces+linux-um=archiver.kernel.org@lists.infradead.org On 7/1/2026 12:37 AM, Ada Couprie Diaz wrote: > Hi Jinjie, > > On 29/06/2026 14:05, Jinjie Ruan wrote: >> The return value of __secure_computing() currently uses 0 to indicate >> that a system call should be allowed, and -1 to indicate that it should >> be blocked/killed. This 0/-1 pattern is non-intuitive for a security >> check function and makes the control flow at the call sites less >> readable. >> >> Furthermore, any potential future changes to these return values would >> require a high-risk, error-prone audit of all its users across different >> architectures. >> >> Sanitize this logic by converting the return type of __secure_computing() >> to a proper boolean, where 'true' explicitly means 'allow' and 'false' >> means 'fail/deny'. >> >> Update all the two dozen or so call sites across the tree to align with >> this new boolean semantic. No functional changes are intended, as the >> callers still return -1 to the lower-level assembly entry code upon >> seccomp denial. > Would it be relevant to mention that this fixes the unsound return value of > `syscall_trace_enter()` in generic entry, which motivated the patch > initially[0] ? That's a very good point. It's definitely worth mentioning >> Suggested-by: Thomas Gleixner >> Signed-off-by: Jinjie Ruan >> --- >>   arch/alpha/kernel/ptrace.c            |  2 +- >>   arch/arm/kernel/ptrace.c              |  2 +- >>   arch/arm64/kernel/ptrace.c            |  2 +- >>   arch/csky/kernel/ptrace.c             |  2 +- >>   arch/m68k/kernel/ptrace.c             |  2 +- >>   arch/mips/kernel/ptrace.c             |  2 +- >>   arch/parisc/kernel/ptrace.c           |  2 +- >>   arch/sh/kernel/ptrace_32.c            |  2 +- >>   arch/um/kernel/skas/syscall.c         |  2 +- >>   arch/x86/entry/vsyscall/vsyscall_64.c |  2 +- >>   arch/xtensa/kernel/ptrace.c           |  3 +-- >>   include/linux/entry-common.h          |  7 +++--- >>   include/linux/seccomp.h               | 10 ++++---- >>   kernel/seccomp.c                      | 34 +++++++++++++-------------- >>   14 files changed, 36 insertions(+), 38 deletions(-) > > This is missing an update to the Kconfig documentation, a possible > suggestion : Will update it. > > diff --git a/arch/Kconfig b/arch/Kconfig > index fa7507ac8e13..9e3d40088afb 100644 > --- a/arch/Kconfig > +++ b/arch/Kconfig > @@ -637,7 +637,7 @@ config HAVE_ARCH_SECCOMP_FILTER >           - syscall_set_return_value() >           - SIGSYS siginfo_t support >           - secure_computing is called from a ptrace_event()-safe context > -         - secure_computing return value is checked and a return value > of -1 > +         - secure_computing return value is checked and if false >             results in the system call being skipped immediately. >           - seccomp syscall wired up >           - if !HAVE_SPARSE_SYSCALL_NR, have SECCOMP_ARCH_NATIVE, > >> [...] >> diff --git a/include/linux/entry-common.h b/include/linux/entry-common.h >> index 416a3352261f..3f66320e46d3 100644 >> --- a/include/linux/entry-common.h >> +++ b/include/linux/entry-common.h >> @@ -100,9 +100,8 @@ static __always_inline long >> syscall_trace_enter(struct pt_regs *regs, unsigned l >>         /* Do seccomp after ptrace, to catch any tracer changes. */ >>       if (work & SYSCALL_WORK_SECCOMP) { >> -        ret = __secure_computing(); >> -        if (ret == -1L) >> -            return ret; >> +        if (!__secure_computing()) >> +            return -1L; >>       } >>         /* Either of the above might have changed the syscall number */ >> @@ -113,7 +112,7 @@ static __always_inline long >> syscall_trace_enter(struct pt_regs *regs, unsigned l >>         syscall_enter_audit(regs, syscall); >>   -    return ret ? : syscall; >> +    return syscall; >>   } >> [...] > > Otherwise this feels like a more appropriate change with regards to > "safeguarding against new `secure_computing()` return value" ! > > With the updated Kconfig : > Reviewed-by: Ada Couprie Diaz > > Thanks, > Ada > > [0]: https://lore.kernel.org/r/20260511092103.1974980-2- > ruanjinjie@huawei.com > >