* [PATCH 0/3] powerpc: Enable seccomp filter support
@ 2015-02-09 7:55 Bogdan Purcareata
2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Bogdan Purcareata @ 2015-02-09 7:55 UTC (permalink / raw)
To: benh, paulus, linuxppc-dev
Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake
Add the missing pieces in order to enable SECCOMP_FILTER on PowerPC
architectures, and enable this support.
Testing has been pursued using libseccomp with the latest ppc support patches
[1], on Freescale platforms for both ppc and ppc64. ppc64le support is
untested.
[1] https://groups.google.com/forum/#!topic/libseccomp/ktR-bQr1tGw
Bogdan Purcareata (3):
powerpc: Don't force ENOSYS as error on syscall fail
powerpc: Relax secure computing on syscall entry trace
powerpc: Enable HAVE_ARCH_SECCOMP_FILTER
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/entry_32.S | 3 ++-
arch/powerpc/kernel/entry_64.S | 2 +-
arch/powerpc/kernel/ptrace.c | 4 +++-
4 files changed, 7 insertions(+), 3 deletions(-)
--
2.1.4
^ permalink raw reply [flat|nested] 7+ messages in thread* [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail 2015-02-09 7:55 [PATCH 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata @ 2015-02-09 7:55 ` Bogdan Purcareata 2015-02-09 8:56 ` Purcareata Bogdan 2015-02-11 3:04 ` Michael Ellerman 2015-02-09 7:55 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata 2015-02-09 7:55 ` [PATCH] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata 2 siblings, 2 replies; 7+ messages in thread From: Bogdan Purcareata @ 2015-02-09 7:55 UTC (permalink / raw) To: benh, paulus, linuxppc-dev Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake In certain scenarios - e.g. seccomp filtering with ERRNO as default action - the system call fails for other reasons than the syscall not being available. The seccomp filter can be configured to store a user-defined error code on return from a blacklisted syscall. The RFC is this: are there currently any user-space scenarios where it is required that the system call return ENOSYS as error code on failure, no matter the circumstances? I don't want to break userspace requirements. I have not added code to force this error code in situations different than secure_computing failure, in order to keep overhead at a minimum. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> --- arch/powerpc/kernel/entry_32.S | 3 ++- arch/powerpc/kernel/entry_64.S | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S index 59848e5..52e48dd 100644 --- a/arch/powerpc/kernel/entry_32.S +++ b/arch/powerpc/kernel/entry_32.S @@ -425,7 +425,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX) b 1b #endif /* CONFIG_44x */ -66: li r3,-ENOSYS +66: +# li r3,-ENOSYS b ret_from_syscall .globl ret_from_fork diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S index e6bfe8e..80db02e 100644 --- a/arch/powerpc/kernel/entry_64.S +++ b/arch/powerpc/kernel/entry_64.S @@ -269,7 +269,7 @@ syscall_dotrace: b .Lsyscall_dotrace_cont syscall_enosys: - li r3,-ENOSYS +# li r3,-ENOSYS b syscall_exit syscall_exit_work: -- 2.1.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail 2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata @ 2015-02-09 8:56 ` Purcareata Bogdan 2015-02-11 3:04 ` Michael Ellerman 1 sibling, 0 replies; 7+ messages in thread From: Purcareata Bogdan @ 2015-02-09 8:56 UTC (permalink / raw) To: Bogdan Purcareata, benh, paulus, linuxppc-dev Cc: pmoore, linux-kernel, strosake Obvious mistake on my behalf to send the patch with lines commented out. I will fix it in v2. On 09.02.2015 09:55, Bogdan Purcareata wrote: > In certain scenarios - e.g. seccomp filtering with ERRNO as default action - > the system call fails for other reasons than the syscall not being available. > The seccomp filter can be configured to store a user-defined error code on > return from a blacklisted syscall. > > The RFC is this: are there currently any user-space scenarios where it is > required that the system call return ENOSYS as error code on failure, no matter > the circumstances? I don't want to break userspace requirements. I have not > added code to force this error code in situations different than > secure_computing failure, in order to keep overhead at a minimum. > > Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> > --- > arch/powerpc/kernel/entry_32.S | 3 ++- > arch/powerpc/kernel/entry_64.S | 2 +- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S > index 59848e5..52e48dd 100644 > --- a/arch/powerpc/kernel/entry_32.S > +++ b/arch/powerpc/kernel/entry_32.S > @@ -425,7 +425,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX) > b 1b > #endif /* CONFIG_44x */ > > -66: li r3,-ENOSYS > +66: > +# li r3,-ENOSYS > b ret_from_syscall > > .globl ret_from_fork > diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S > index e6bfe8e..80db02e 100644 > --- a/arch/powerpc/kernel/entry_64.S > +++ b/arch/powerpc/kernel/entry_64.S > @@ -269,7 +269,7 @@ syscall_dotrace: > b .Lsyscall_dotrace_cont > > syscall_enosys: > - li r3,-ENOSYS > +# li r3,-ENOSYS > b syscall_exit > > syscall_exit_work: > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail 2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata 2015-02-09 8:56 ` Purcareata Bogdan @ 2015-02-11 3:04 ` Michael Ellerman 2015-02-11 7:59 ` Purcareata Bogdan 1 sibling, 1 reply; 7+ messages in thread From: Michael Ellerman @ 2015-02-11 3:04 UTC (permalink / raw) To: Bogdan Purcareata; +Cc: linux-kernel, pmoore, paulus, strosake, linuxppc-dev On Mon, 2015-02-09 at 07:55 +0000, Bogdan Purcareata wrote: > In certain scenarios - e.g. seccomp filtering with ERRNO as default action - > the system call fails for other reasons than the syscall not being available. > The seccomp filter can be configured to store a user-defined error code on > return from a blacklisted syscall. > > The RFC is this: are there currently any user-space scenarios where it is > required that the system call return ENOSYS as error code on failure, no matter > the circumstances? I don't want to break userspace requirements. I have not > added code to force this error code in situations different than > secure_computing failure, in order to keep overhead at a minimum. > > Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> > --- > arch/powerpc/kernel/entry_32.S | 3 ++- > arch/powerpc/kernel/entry_64.S | 2 +- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S > index 59848e5..52e48dd 100644 > --- a/arch/powerpc/kernel/entry_32.S > +++ b/arch/powerpc/kernel/entry_32.S > @@ -425,7 +425,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX) > b 1b > #endif /* CONFIG_44x */ > > -66: li r3,-ENOSYS > +66: > +# li r3,-ENOSYS > b ret_from_syscall > > .globl ret_from_fork > diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S > index e6bfe8e..80db02e 100644 > --- a/arch/powerpc/kernel/entry_64.S > +++ b/arch/powerpc/kernel/entry_64.S > @@ -269,7 +269,7 @@ syscall_dotrace: > b .Lsyscall_dotrace_cont > > syscall_enosys: > - li r3,-ENOSYS > +# li r3,-ENOSYS > b syscall_exit So what happens if you call this with a syscall number that's out of bounds? cheers ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail 2015-02-11 3:04 ` Michael Ellerman @ 2015-02-11 7:59 ` Purcareata Bogdan 0 siblings, 0 replies; 7+ messages in thread From: Purcareata Bogdan @ 2015-02-11 7:59 UTC (permalink / raw) To: Michael Ellerman, Bogdan Purcareata Cc: linux-kernel, pmoore, paulus, strosake, linuxppc-dev On 11.02.2015 05:04, Michael Ellerman wrote: > On Mon, 2015-02-09 at 07:55 +0000, Bogdan Purcareata wrote: >> In certain scenarios - e.g. seccomp filtering with ERRNO as default action - >> the system call fails for other reasons than the syscall not being available. >> The seccomp filter can be configured to store a user-defined error code on >> return from a blacklisted syscall. >> >> The RFC is this: are there currently any user-space scenarios where it is >> required that the system call return ENOSYS as error code on failure, no matter >> the circumstances? I don't want to break userspace requirements. I have not >> added code to force this error code in situations different than >> secure_computing failure, in order to keep overhead at a minimum. >> >> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> >> --- >> arch/powerpc/kernel/entry_32.S | 3 ++- >> arch/powerpc/kernel/entry_64.S | 2 +- >> 2 files changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S >> index 59848e5..52e48dd 100644 >> --- a/arch/powerpc/kernel/entry_32.S >> +++ b/arch/powerpc/kernel/entry_32.S >> @@ -425,7 +425,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX) >> b 1b >> #endif /* CONFIG_44x */ >> >> -66: li r3,-ENOSYS >> +66: >> +# li r3,-ENOSYS >> b ret_from_syscall >> >> .globl ret_from_fork >> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S >> index e6bfe8e..80db02e 100644 >> --- a/arch/powerpc/kernel/entry_64.S >> +++ b/arch/powerpc/kernel/entry_64.S >> @@ -269,7 +269,7 @@ syscall_dotrace: >> b .Lsyscall_dotrace_cont >> >> syscall_enosys: >> - li r3,-ENOSYS >> +# li r3,-ENOSYS >> b syscall_exit > > So what happens if you call this with a syscall number that's out of bounds? As far as my current understanding goes, the call will return with -1 with a errno that's undefined (or I've not seen it be defined anywhere). I've thought more about this, and I guess the best option would be to move setting -ENOSYS as errno from the syscall entry assembly to do_syscall_trace_enter (as opposed to eliminating it at all). I was a little reluctant to do this at first in order to keep overhead to a minimum, but it's certainly not an option to change behavior if the syscall number is out of bounds. v2 to come shortly. Thanks, Bogdan P. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace 2015-02-09 7:55 [PATCH 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata 2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata @ 2015-02-09 7:55 ` Bogdan Purcareata 2015-02-09 7:55 ` [PATCH] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata 2 siblings, 0 replies; 7+ messages in thread From: Bogdan Purcareata @ 2015-02-09 7:55 UTC (permalink / raw) To: benh, paulus, linuxppc-dev Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake The secure_computing_strict will just force the kernel to panic on secure_computing failure. Once SECCOMP_FILTER support is enabled in the kernel, syscalls can be denied without system failure. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> --- arch/powerpc/kernel/ptrace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 100e01c..5c654ac 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1772,7 +1772,9 @@ long do_syscall_trace_enter(struct pt_regs *regs) user_exit(); - secure_computing_strict(regs->gpr[0]); + /* Do the secure computing check first; failures should be fast. */ + if (secure_computing(regs->gpr[0]) == -1) + return -1L; if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) -- 2.1.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER 2015-02-09 7:55 [PATCH 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata 2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata 2015-02-09 7:55 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata @ 2015-02-09 7:55 ` Bogdan Purcareata 2 siblings, 0 replies; 7+ messages in thread From: Bogdan Purcareata @ 2015-02-09 7:55 UTC (permalink / raw) To: benh, paulus, linuxppc-dev Cc: pmoore, linux-kernel, Bogdan Purcareata, strosake Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> --- arch/powerpc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index a2a168e..72f363e 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -104,6 +104,7 @@ config PPC select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN select HAVE_KPROBES select HAVE_ARCH_KGDB + select HAVE_ARCH_SECCOMP_FILTER select HAVE_KRETPROBES select HAVE_ARCH_TRACEHOOK select HAVE_MEMBLOCK -- 2.1.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-02-11 7:59 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-02-09 7:55 [PATCH 0/3] powerpc: Enable seccomp filter support Bogdan Purcareata 2015-02-09 7:55 ` [RFC][PATCH 1/3] powerpc: Don't force ENOSYS as error on syscall fail Bogdan Purcareata 2015-02-09 8:56 ` Purcareata Bogdan 2015-02-11 3:04 ` Michael Ellerman 2015-02-11 7:59 ` Purcareata Bogdan 2015-02-09 7:55 ` [PATCH 2/3] powerpc: Relax secure computing on syscall entry trace Bogdan Purcareata 2015-02-09 7:55 ` [PATCH] powerpc: Enable HAVE_ARCH_SECCOMP_FILTER Bogdan Purcareata
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).