From patchwork Fri Feb 7 10:11:31 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 24282 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-vc0-f198.google.com (mail-vc0-f198.google.com [209.85.220.198]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 14C902096A for ; Fri, 7 Feb 2014 10:12:17 +0000 (UTC) Received: by mail-vc0-f198.google.com with SMTP id lf12sf7113470vcb.1 for ; Fri, 07 Feb 2014 02:12:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=zehIP6lz4EiABstqW2wizER4ctPo1bCKeBS7iEXBO3k=; b=QWQu/cCGjeVwsgrxOGbV6gZk62/OYZ5iryZ4TODbR5GGoa2kDXpOoCzdpe4zNd8f1y aH24TDQJVigPgaFDJMFVRhgecwl56qQLzhyhWjpP+269B9q7kG8BT6hbYSzA5AGkcTfX tEoFv9csF4Q9zXHAmcUsStDzXQUgA4dVEjGlS5cXZJLB8QjEQO1NYIqJ/TnE7sphaUDr IZLFq/IX80Hsib4ELSX3dk1sWNGpVmWwpRTNToKhQeKKIlsvNlKQPACuMXR4xBJzcCIQ lJEACeIzfEreoe1p+XTA/cM4dj8dQTYabec76c67VYn36KSvSmJaiayOJJlzqrdMV2j8 Y08Q== X-Gm-Message-State: ALoCoQmfdjsmmAq/NCR7YVEdSbvhpE+gAED3+AehZrAQcBf+0GZ6C7I4gojOW/Hgz68bIydZDt2+ X-Received: by 10.236.127.199 with SMTP id d47mr3088669yhi.29.1391767936846; Fri, 07 Feb 2014 02:12:16 -0800 (PST) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.103.118 with SMTP id x109ls998015qge.43.gmail; Fri, 07 Feb 2014 02:12:16 -0800 (PST) X-Received: by 10.52.232.168 with SMTP id tp8mr32855vdc.38.1391767936694; Fri, 07 Feb 2014 02:12:16 -0800 (PST) Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177]) by mx.google.com with ESMTPS id gq1si1160392vec.99.2014.02.07.02.12.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 07 Feb 2014 02:12:16 -0800 (PST) Received-SPF: neutral (google.com: 209.85.128.177 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.128.177; Received: by mail-ve0-f177.google.com with SMTP id jz11so2504657veb.8 for ; Fri, 07 Feb 2014 02:12:16 -0800 (PST) X-Received: by 10.59.6.7 with SMTP id cq7mr9893567ved.14.1391767936624; Fri, 07 Feb 2014 02:12:16 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.174.196 with SMTP id u4csp91150vcz; Fri, 7 Feb 2014 02:12:15 -0800 (PST) X-Received: by 10.68.159.228 with SMTP id xf4mr18759042pbb.74.1391767935262; Fri, 07 Feb 2014 02:12:15 -0800 (PST) Received: from mail-pa0-f43.google.com (mail-pa0-f43.google.com [209.85.220.43]) by mx.google.com with ESMTPS id q5si4484111pae.85.2014.02.07.02.12.14 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 07 Feb 2014 02:12:15 -0800 (PST) Received-SPF: neutral (google.com: 209.85.220.43 is neither permitted nor denied by best guess record for domain of takahiro.akashi@linaro.org) client-ip=209.85.220.43; Received: by mail-pa0-f43.google.com with SMTP id rd3so2999618pab.30 for ; Fri, 07 Feb 2014 02:12:14 -0800 (PST) X-Received: by 10.66.149.37 with SMTP id tx5mr6701397pab.81.1391767934115; Fri, 07 Feb 2014 02:12:14 -0800 (PST) Received: from localhost.localdomain (KD182249085115.au-net.ne.jp. [182.249.85.115]) by mx.google.com with ESMTPSA id xn12sm29491658pac.12.2014.02.07.02.12.09 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 07 Feb 2014 02:12:13 -0800 (PST) From: AKASHI Takahiro To: wad@chromium.org, catalin.marinas@arm.com, will.deacon@arm.com Cc: arndb@arndb.de, linux-arm-kernel@lists.infradead.org, linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org, patches@linaro.org, AKASHI Takahiro Subject: [PATCH 1/2] arm64: Add seccomp support Date: Fri, 7 Feb 2014 19:11:31 +0900 Message-Id: <1391767892-5395-2-git-send-email-takahiro.akashi@linaro.org> X-Mailer: git-send-email 1.8.3.2 In-Reply-To: <1391767892-5395-1-git-send-email-takahiro.akashi@linaro.org> References: <1391767892-5395-1-git-send-email-takahiro.akashi@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: takahiro.akashi@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.128.177 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , secure_computing() should always be called first in syscall_trace(), and if it returns non-zero, we should stop further handling. Then that system call may eventually fail, be trapped or the process itself be killed depending on loaded rules. This patch also defines specific system call numbers, __NR_seccomp_*, solely used by secure_computing() for seccomp mode 1 (only read, write, exit and sigreturn are allowd). Signed-off-by: AKASHI Takahiro --- arch/arm64/Kconfig | 17 +++++++++++++++++ arch/arm64/include/asm/seccomp.h | 28 ++++++++++++++++++++++++++++ arch/arm64/include/asm/unistd.h | 3 +++ arch/arm64/kernel/entry.S | 4 ++++ arch/arm64/kernel/ptrace.c | 5 +++++ 5 files changed, 57 insertions(+) create mode 100644 arch/arm64/include/asm/seccomp.h diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a21455e..a0102f7 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -27,6 +27,7 @@ config ARM64 select HARDIRQS_SW_RESEND select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL + select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE select HAVE_DEBUG_KMEMLEAK @@ -222,6 +223,22 @@ config HAVE_ARCH_TRANSPARENT_HUGEPAGE source "mm/Kconfig" +config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" + ---help--- + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + + If unsure, say Y. Only embedded should say N here. + config XEN_DOM0 def_bool y depends on XEN diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h new file mode 100644 index 0000000..3482155 --- /dev/null +++ b/arch/arm64/include/asm/seccomp.h @@ -0,0 +1,28 @@ +/* + * arch/arm64/include/asm/seccomp.h + * + * Copyright (C) 2014 Linaro Limited + * Author: AKASHI Takahiro + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef _ASM_SECCOMP_H +#define _ASM_SECCOMP_H + +#include + +#ifdef CONFIG_COMPAT +#define __NR_seccomp_read_32 __NR_compat_read +#define __NR_seccomp_write_32 __NR_compat_write +#define __NR_seccomp_exit_32 __NR_compat_exit +#define __NR_seccomp_sigreturn_32 __NR_compat_sigreturn +#endif /* CONFIG_COMPAT */ + +#define __NR_seccomp_read __NR_read +#define __NR_seccomp_write __NR_write +#define __NR_seccomp_exit __NR_exit +#define __NR_seccomp_sigreturn __NR_rt_sigreturn + +#endif /* _ASM_SECCOMP_H */ diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h index 4a09fdb..05f2db3 100644 --- a/arch/arm64/include/asm/unistd.h +++ b/arch/arm64/include/asm/unistd.h @@ -30,6 +30,9 @@ * Compat syscall numbers used by the AArch64 kernel. */ #define __NR_compat_restart_syscall 0 +#define __NR_compat_exit 1 +#define __NR_compat_read 3 +#define __NR_compat_write 4 #define __NR_compat_sigreturn 119 #define __NR_compat_rt_sigreturn 173 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 96c2d03..55d4e6c 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -651,6 +651,10 @@ __sys_trace: mov x1, sp mov w0, #0 // trace entry bl syscall_trace +#ifdef CONFIG_SECCOMP + cmp w0, #0 // check seccomp result + b.lt ret_to_user // -1 means 'rejected' +#endif adr lr, __sys_trace_return // return address uxtw scno, w0 // syscall number (possibly new) mov x1, sp // pointer to regs diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 8cdba09..3bfe398 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -1064,6 +1065,10 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg; + if (!dir && secure_computing((int)regs->syscallno)) + /* seccomp failures shouldn't expose any additional code. */ + return -1; + if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12];