[PATCH v2 0/3] powerpc: Enable seccomp filter support

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 0/3] powerpc: Enable seccomp filter support
@ 2015-02-11  8:36 Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Bogdan Purcareata @ 2015-02-11  8:36 UTC (permalink / raw)
  To: benh, paulus, linuxppc-dev
  Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake

Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
architectures, and enable this support.

Testing has been pursued using libseccomp with the latest ppc support patches
[1], on Freescale platforms for both ppc and ppc64. ppc64le support is
untested.

[1] https://groups.google.com/forum/#!topic/libseccomp/ktR-bQr1tGw

v2:
- move setting ENOSYS from syscall entry assembly to do_syscall_trace_enter

Bogdan Purcareata (3):
  powerpc: Don't force ENOSYS as error on syscall fail
  powerpc: Relax secure computing on syscall entry trace
  powerpc: Enable HAVE_ARCH_SECCOMP_FILTER

 arch/powerpc/Kconfig           | 1 +
 arch/powerpc/kernel/entry_32.S | 2 +-
 arch/powerpc/kernel/entry_64.S | 1 -
 arch/powerpc/kernel/ptrace.c   | 8 ++++++--
 4 files changed, 8 insertions(+), 4 deletions(-)

-- 
2.1.4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail
  2015-02-11  8:36 [PATCH v2 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata
@ 2015-02-11  8:36 ` Bogdan Purcareata
  2015-02-12  5:24   ` Michael Ellerman
  2015-02-11  8:36 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata
  2 siblings, 1 reply; 6+ messages in thread
From: Bogdan Purcareata @ 2015-02-11  8:36 UTC (permalink / raw)
  To: benh, paulus, linuxppc-dev
  Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake

In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
the system call fails for other reasons than the syscall not being available.
The seccomp filter can be configured to store a user-defined error code on
return from a blacklisted syscall. Don't always set ENOSYS on
do_syscall_trace_enter failure.

v2:
- move setting ENOSYS as errno from the syscall entry assembly to
  do_syscall_trace_enter, only in the specific case

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/entry_32.S | 2 +-
 arch/powerpc/kernel/entry_64.S | 1 -
 arch/powerpc/kernel/ptrace.c   | 4 +++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index 10a0935..d2c58a3 100644
--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -425,7 +425,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX)
 	b	1b
 #endif  /* CONFIG_44x */
 
-66:	li	r3,-ENOSYS
+66:
 	b	ret_from_syscall
 
 	.globl	ret_from_fork
diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index 194e46d..0111e04 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -269,7 +269,6 @@ syscall_dotrace:
 	b	.Lsyscall_dotrace_cont
 
 syscall_enosys:
-	li	r3,-ENOSYS
 	b	syscall_exit
 	
 syscall_exit_work:
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index f21897b..d82fd0b 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1775,13 +1775,15 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 	secure_computing_strict(regs->gpr[0]);
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
-	    tracehook_report_syscall_entry(regs))
+	    tracehook_report_syscall_entry(regs)) {
 		/*
 		 * Tracing decided this syscall should not happen.
 		 * We'll return a bogus call number to get an ENOSYS
 		 * error, but leave the original number in regs->gpr[0].
 		 */
 		ret = -1L;
+		syscall_set_return_value(current, regs, -ENOSYS, 0);
+	}
 
 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 		trace_sys_enter(regs, regs->gpr[0]);
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail
  2015-02-11  8:36 ` [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
@ 2015-02-12  5:24   ` Michael Ellerman
  2015-02-12  8:38     ` Purcareata Bogdan
  0 siblings, 1 reply; 6+ messages in thread
From: Michael Ellerman @ 2015-02-12  5:24 UTC (permalink / raw)
  To: Bogdan Purcareata; +Cc: linux-kernel, pmoore, paulus, strosake, linuxppc-dev

On Wed, 2015-02-11 at 08:36 +0000, Bogdan Purcareata wrote:
> In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
> the system call fails for other reasons than the syscall not being available.
> The seccomp filter can be configured to store a user-defined error code on
> return from a blacklisted syscall. Don't always set ENOSYS on
> do_syscall_trace_enter failure.
> 
> v2:
> - move setting ENOSYS as errno from the syscall entry assembly to
>   do_syscall_trace_enter, only in the specific case

> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
> index 194e46d..0111e04 100644
> --- a/arch/powerpc/kernel/entry_64.S
> +++ b/arch/powerpc/kernel/entry_64.S
> @@ -269,7 +269,6 @@ syscall_dotrace:
>  	b	.Lsyscall_dotrace_cont
>  
>  syscall_enosys:
> -	li	r3,-ENOSYS
>  	b	syscall_exit


This still looks wrong to me.

On 64 bit we do:

	CURRENT_THREAD_INFO(r11, r1)
	ld	r10,TI_FLAGS(r11)
	andi.	r11,r10,_TIF_SYSCALL_DOTRACE
	bne	syscall_dotrace
.Lsyscall_dotrace_cont:
	cmpldi	0,r0,NR_syscalls
	bge-	syscall_enosys
...

syscall_enosys:
	li	r3,-ENOSYS
	b	.Lsyscall_exit


Your patch removes the load of ENOSYS.

Which means if we're not doing syscall tracing, and we get an out-of-bounds
syscall number, we'll return with something random on r3. Won't we?

The 32-bit code looks more or less similar, although the label has a different
name.

cheers

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail
  2015-02-12  5:24   ` Michael Ellerman
@ 2015-02-12  8:38     ` Purcareata Bogdan
  0 siblings, 0 replies; 6+ messages in thread
From: Purcareata Bogdan @ 2015-02-12  8:38 UTC (permalink / raw)
  To: Michael Ellerman, Bogdan Purcareata
  Cc: linux-kernel, pmoore, paulus, strosake, linuxppc-dev

On 12.02.2015 07:24, Michael Ellerman wrote:
> On Wed, 2015-02-11 at 08:36 +0000, Bogdan Purcareata wrote:
>> In certain scenarios - e.g. seccomp filtering with ERRNO as default action -
>> the system call fails for other reasons than the syscall not being available.
>> The seccomp filter can be configured to store a user-defined error code on
>> return from a blacklisted syscall. Don't always set ENOSYS on
>> do_syscall_trace_enter failure.
>>
>> v2:
>> - move setting ENOSYS as errno from the syscall entry assembly to
>>    do_syscall_trace_enter, only in the specific case
>
>> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
>> index 194e46d..0111e04 100644
>> --- a/arch/powerpc/kernel/entry_64.S
>> +++ b/arch/powerpc/kernel/entry_64.S
>> @@ -269,7 +269,6 @@ syscall_dotrace:
>>   	b	.Lsyscall_dotrace_cont
>>
>>   syscall_enosys:
>> -	li	r3,-ENOSYS
>>   	b	syscall_exit
>
>
> This still looks wrong to me.
>
> On 64 bit we do:
>
> 	CURRENT_THREAD_INFO(r11, r1)
> 	ld	r10,TI_FLAGS(r11)
> 	andi.	r11,r10,_TIF_SYSCALL_DOTRACE
> 	bne	syscall_dotrace
> .Lsyscall_dotrace_cont:
> 	cmpldi	0,r0,NR_syscalls
> 	bge-	syscall_enosys
> ...
>
> syscall_enosys:
> 	li	r3,-ENOSYS
> 	b	.Lsyscall_exit
>
>
> Your patch removes the load of ENOSYS.
>
> Which means if we're not doing syscall tracing, and we get an out-of-bounds
> syscall number, we'll return with something random on r3. Won't we?

Thanks for pointing this out, you are absolutely right. Perhaps this is 
a fix for the issue - on 64 bit:

         ld      r10,TI_FLAGS(r11)
         andi.   r11,r10,_TIF_SYSCALL_T_OR_A
         bne     syscall_dotrace
-.Lsyscall_dotrace_cont:
         cmpldi  0,r0,NR_syscalls
         bge-    syscall_enosys

system_call:
...

syscall_enosys:
	li	r3,-ENOSYS
	b	.Lsyscall_exit
...

syscall_dotrace:
...
         addi    r9,r1,STACK_FRAME_OVERHEAD
         CURRENT_THREAD_INFO(r10, r1)
         ld      r10,TI_FLAGS(r10)
-       b       .Lsyscall_dotrace_cont
+       cmpldi  0,r0,NR_syscalls
+       bge     syscall_exit
+       b       system_call

So basically I leave the code for syscall_enosys unchanged, but I keep 
using it only when not doing syscall tracing. When doing syscall 
tracing, I'm assuming do_syscall_trace_enter will take care of setting 
the errno, and should it return an invalid syscall number, go directly 
to syscall_exit.

> The 32-bit code looks more or less similar, although the label has a different
> name.

Same thing for 32-bit:

_GLOBAL(DoSyscall)
         lwz     r11,TI_FLAGS(r10)
         andi.   r11,r11,_TIF_SYSCALL_T_OR_A
         bne-    syscall_dotrace
-syscall_dotrace_cont:
         cmplwi  0,r0,NR_syscalls
         lis     r10,sys_call_table@h
         ori     r10,r10,sys_call_table@l
         slwi    r0,r0,2
         bge     66f
+syscall_dotrace_cont:
         lwzx    r10,r10,r0      /* Fetch system call handler [ptr] */
         mtlr    r10
         addi    r9,r1,STACK_FRAME_OVERHEAD
...

66:	li	r3,-ENOSYS
	b	ret_from_syscall
...

syscall_dotrace:
         lwz     r7,GPR7(r1)
         lwz     r8,GPR8(r1)
         REST_NVGPRS(r1)
+       cmplwi  0,r0,NR_syscalls
+       lis     r10,sys_call_table@h
+       ori     r10,r10,sys_call_table@l
+       slwi    r0,r0,2
+       bge-    ret_from_syscall
         b       syscall_dotrace_cont

However I must admit that I don't like duplicating those 4 lines of code 
associated with verifying the syscall number. I can't think of any 
better way to do this. I also thought about leaving this check in one 
place, and then branch differently according to _TIF_SYSCALL_T_OR_A. Do 
you think that would be a better approach?

Thank you,
Bogdan P.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace
  2015-02-11  8:36 [PATCH v2 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
@ 2015-02-11  8:36 ` Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata
  2 siblings, 0 replies; 6+ messages in thread
From: Bogdan Purcareata @ 2015-02-11  8:36 UTC (permalink / raw)
  To: benh, paulus, linuxppc-dev
  Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake

The secure_computing_strict will just force the kernel to panic on
secure_computing failure. Once SECCOMP_FILTER support is enabled in the kernel,
syscalls can be denied without system failure.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/kernel/ptrace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index d82fd0b..d41faab 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1772,7 +1772,9 @@ long do_syscall_trace_enter(struct pt_regs *regs)
 
 	user_exit();
 
-	secure_computing_strict(regs->gpr[0]);
+	/* Do the secure computing check first; failures should be fast. */
+	if (secure_computing(regs->gpr[0]) == -1)
+		return -1L;
 
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
 	    tracehook_report_syscall_entry(regs)) {
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
  2015-02-11  8:36 [PATCH v2 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
  2015-02-11  8:36 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata
@ 2015-02-11  8:36 ` Bogdan Purcareata
  2 siblings, 0 replies; 6+ messages in thread
From: Bogdan Purcareata @ 2015-02-11  8:36 UTC (permalink / raw)
  To: benh, paulus, linuxppc-dev
  Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
 arch/powerpc/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index a2a168e..72f363e 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -104,6 +104,7 @@ config PPC
 	select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN
 	select HAVE_KPROBES
 	select HAVE_ARCH_KGDB
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_KRETPROBES
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_MEMBLOCK
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-02-12  8:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-11  8:36 [PATCH v2 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata
2015-02-11  8:36 ` [PATCH v2 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
2015-02-12  5:24   ` Michael Ellerman
2015-02-12  8:38     ` Purcareata Bogdan
2015-02-11  8:36 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata
2015-02-11  8:36 ` [PATCH 3/3] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).