Commit bb49bcda authored by David S. Miller's avatar David S. Miller

[SPARC64]: Add SECCOMP support.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent af166d15
...@@ -43,6 +43,23 @@ config SPARC64_PAGE_SIZE_4MB ...@@ -43,6 +43,23 @@ config SPARC64_PAGE_SIZE_4MB
endchoice endchoice
config SECCOMP
bool "Enable seccomp to safely compute untrusted bytecode"
depends on PROC_FS
default y
help
This kernel feature is useful for number crunching applications
that may need to compute untrusted bytecode during their
execution. By using pipes or other transports made available to
the process as file descriptors supporting the read/write
syscalls, it's possible to isolate those applications in
their own address space using seccomp. Once seccomp is
enabled via /proc/<pid>/seccomp, it cannot be disabled
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
If unsure, say Y. Only embedded should say N here.
source kernel/Kconfig.hz source kernel/Kconfig.hz
source "init/Kconfig" source "init/Kconfig"
......
...@@ -1552,7 +1552,7 @@ sys_ptrace: add %sp, PTREGS_OFF, %o0 ...@@ -1552,7 +1552,7 @@ sys_ptrace: add %sp, PTREGS_OFF, %o0
nop nop
.align 32 .align 32
1: ldx [%curptr + TI_FLAGS], %l5 1: ldx [%curptr + TI_FLAGS], %l5
andcc %l5, _TIF_SYSCALL_TRACE, %g0 andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0
be,pt %icc, rtrap be,pt %icc, rtrap
clr %l6 clr %l6
call syscall_trace call syscall_trace
...@@ -1676,7 +1676,7 @@ linux_sparc_syscall32: ...@@ -1676,7 +1676,7 @@ linux_sparc_syscall32:
srl %i5, 0, %o5 ! IEU1 srl %i5, 0, %o5 ! IEU1
srl %i2, 0, %o2 ! IEU0 Group srl %i2, 0, %o2 ! IEU0 Group
andcc %l0, _TIF_SYSCALL_TRACE, %g0 ! IEU0 Group andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0 ! IEU0 Group
bne,pn %icc, linux_syscall_trace32 ! CTI bne,pn %icc, linux_syscall_trace32 ! CTI
mov %i0, %l5 ! IEU1 mov %i0, %l5 ! IEU1
call %l7 ! CTI Group brk forced call %l7 ! CTI Group brk forced
...@@ -1699,7 +1699,7 @@ linux_sparc_syscall: ...@@ -1699,7 +1699,7 @@ linux_sparc_syscall:
mov %i3, %o3 ! IEU1 mov %i3, %o3 ! IEU1
mov %i4, %o4 ! IEU0 Group mov %i4, %o4 ! IEU0 Group
andcc %l0, _TIF_SYSCALL_TRACE, %g0 ! IEU1 Group+1 bubble andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0 ! IEU1 Group+1 bubble
bne,pn %icc, linux_syscall_trace ! CTI Group bne,pn %icc, linux_syscall_trace ! CTI Group
mov %i0, %l5 ! IEU0 mov %i0, %l5 ! IEU0
2: call %l7 ! CTI Group brk forced 2: call %l7 ! CTI Group brk forced
...@@ -1727,7 +1727,7 @@ ret_sys_call: ...@@ -1727,7 +1727,7 @@ ret_sys_call:
1: 1:
cmp %o0, -ERESTART_RESTARTBLOCK cmp %o0, -ERESTART_RESTARTBLOCK
bgeu,pn %xcc, 1f bgeu,pn %xcc, 1f
andcc %l0, _TIF_SYSCALL_TRACE, %l6 andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %l6
80: 80:
/* System call success, clear Carry condition code. */ /* System call success, clear Carry condition code. */
andn %g3, %g2, %g3 andn %g3, %g2, %g3
...@@ -1742,7 +1742,7 @@ ret_sys_call: ...@@ -1742,7 +1742,7 @@ ret_sys_call:
/* System call failure, set Carry condition code. /* System call failure, set Carry condition code.
* Also, get abs(errno) to return to the process. * Also, get abs(errno) to return to the process.
*/ */
andcc %l0, _TIF_SYSCALL_TRACE, %l6 andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %l6
sub %g0, %o0, %o0 sub %g0, %o0, %o0
or %g3, %g2, %g3 or %g3, %g2, %g3
stx %o0, [%sp + PTREGS_OFF + PT_V9_I0] stx %o0, [%sp + PTREGS_OFF + PT_V9_I0]
......
...@@ -4,6 +4,8 @@ ...@@ -4,6 +4,8 @@
* Copyright (C) 1999 David S. Miller (davem@redhat.com) * Copyright (C) 1999 David S. Miller (davem@redhat.com)
*/ */
#define __KERNEL_SYSCALLS__
#include <linux/config.h> #include <linux/config.h>
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/module.h> #include <linux/module.h>
...@@ -17,7 +19,6 @@ ...@@ -17,7 +19,6 @@
#include <asm/ebus.h> #include <asm/ebus.h>
#include <asm/auxio.h> #include <asm/auxio.h>
#define __KERNEL_SYSCALLS__
#include <linux/unistd.h> #include <linux/unistd.h>
/* /*
......
...@@ -630,9 +630,9 @@ out: ...@@ -630,9 +630,9 @@ out:
asmlinkage void syscall_trace(void) asmlinkage void syscall_trace(void)
{ {
#ifdef DEBUG_PTRACE /* do the secure computing check first */
printk("%s [%d]: syscall_trace\n", current->comm, current->pid); secure_computing(current_thread_info()->kregs->u_regs[UREG_G1]);
#endif
if (!test_thread_flag(TIF_SYSCALL_TRACE)) if (!test_thread_flag(TIF_SYSCALL_TRACE))
return; return;
if (!(current->ptrace & PT_PTRACED)) if (!(current->ptrace & PT_PTRACED))
...@@ -645,12 +645,8 @@ asmlinkage void syscall_trace(void) ...@@ -645,12 +645,8 @@ asmlinkage void syscall_trace(void)
* for normal use. strace only continues with a signal if the * for normal use. strace only continues with a signal if the
* stopping signal is not SIGTRAP. -brl * stopping signal is not SIGTRAP. -brl
*/ */
#ifdef DEBUG_PTRACE
printk("%s [%d]: syscall_trace exit= %x\n", current->comm,
current->pid, current->exit_code);
#endif
if (current->exit_code) { if (current->exit_code) {
send_sig (current->exit_code, current, 1); send_sig(current->exit_code, current, 1);
current->exit_code = 0; current->exit_code = 0;
} }
} }
...@@ -220,7 +220,7 @@ register struct thread_info *current_thread_info_reg asm("g6"); ...@@ -220,7 +220,7 @@ register struct thread_info *current_thread_info_reg asm("g6");
#define TIF_NEWSIGNALS 6 /* wants new-style signals */ #define TIF_NEWSIGNALS 6 /* wants new-style signals */
#define TIF_32BIT 7 /* 32-bit binary */ #define TIF_32BIT 7 /* 32-bit binary */
#define TIF_NEWCHILD 8 /* just-spawned child process */ #define TIF_NEWCHILD 8 /* just-spawned child process */
/* TIF_* value 9 is available */ #define TIF_SECCOMP 9 /* secure computing */
#define TIF_POLLING_NRFLAG 10 #define TIF_POLLING_NRFLAG 10
#define TIF_SYSCALL_SUCCESS 11 #define TIF_SYSCALL_SUCCESS 11
/* NOTE: Thread flags >= 12 should be ones we have no interest /* NOTE: Thread flags >= 12 should be ones we have no interest
...@@ -239,6 +239,7 @@ register struct thread_info *current_thread_info_reg asm("g6"); ...@@ -239,6 +239,7 @@ register struct thread_info *current_thread_info_reg asm("g6");
#define _TIF_NEWSIGNALS (1<<TIF_NEWSIGNALS) #define _TIF_NEWSIGNALS (1<<TIF_NEWSIGNALS)
#define _TIF_32BIT (1<<TIF_32BIT) #define _TIF_32BIT (1<<TIF_32BIT)
#define _TIF_NEWCHILD (1<<TIF_NEWCHILD) #define _TIF_NEWCHILD (1<<TIF_NEWCHILD)
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING) #define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
#define _TIF_SYSCALL_SUCCESS (1<<TIF_SYSCALL_SUCCESS) #define _TIF_SYSCALL_SUCCESS (1<<TIF_SYSCALL_SUCCESS)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment