[SPARC64]: Add SECCOMP support.
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@@ -43,6 +43,23 @@ config SPARC64_PAGE_SIZE_4MB
|
|||||||
|
|
||||||
endchoice
|
endchoice
|
||||||
|
|
||||||
|
config SECCOMP
|
||||||
|
bool "Enable seccomp to safely compute untrusted bytecode"
|
||||||
|
depends on PROC_FS
|
||||||
|
default y
|
||||||
|
help
|
||||||
|
This kernel feature is useful for number crunching applications
|
||||||
|
that may need to compute untrusted bytecode during their
|
||||||
|
execution. By using pipes or other transports made available to
|
||||||
|
the process as file descriptors supporting the read/write
|
||||||
|
syscalls, it's possible to isolate those applications in
|
||||||
|
their own address space using seccomp. Once seccomp is
|
||||||
|
enabled via /proc/<pid>/seccomp, it cannot be disabled
|
||||||
|
and the task is only allowed to execute a few safe syscalls
|
||||||
|
defined by each seccomp mode.
|
||||||
|
|
||||||
|
If unsure, say Y. Only embedded should say N here.
|
||||||
|
|
||||||
source kernel/Kconfig.hz
|
source kernel/Kconfig.hz
|
||||||
|
|
||||||
source "init/Kconfig"
|
source "init/Kconfig"
|
||||||
|
|||||||
@@ -1552,7 +1552,7 @@ sys_ptrace: add %sp, PTREGS_OFF, %o0
|
|||||||
nop
|
nop
|
||||||
.align 32
|
.align 32
|
||||||
1: ldx [%curptr + TI_FLAGS], %l5
|
1: ldx [%curptr + TI_FLAGS], %l5
|
||||||
andcc %l5, _TIF_SYSCALL_TRACE, %g0
|
andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0
|
||||||
be,pt %icc, rtrap
|
be,pt %icc, rtrap
|
||||||
clr %l6
|
clr %l6
|
||||||
call syscall_trace
|
call syscall_trace
|
||||||
@@ -1676,7 +1676,7 @@ linux_sparc_syscall32:
|
|||||||
|
|
||||||
srl %i5, 0, %o5 ! IEU1
|
srl %i5, 0, %o5 ! IEU1
|
||||||
srl %i2, 0, %o2 ! IEU0 Group
|
srl %i2, 0, %o2 ! IEU0 Group
|
||||||
andcc %l0, _TIF_SYSCALL_TRACE, %g0 ! IEU0 Group
|
andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0 ! IEU0 Group
|
||||||
bne,pn %icc, linux_syscall_trace32 ! CTI
|
bne,pn %icc, linux_syscall_trace32 ! CTI
|
||||||
mov %i0, %l5 ! IEU1
|
mov %i0, %l5 ! IEU1
|
||||||
call %l7 ! CTI Group brk forced
|
call %l7 ! CTI Group brk forced
|
||||||
@@ -1699,7 +1699,7 @@ linux_sparc_syscall:
|
|||||||
|
|
||||||
mov %i3, %o3 ! IEU1
|
mov %i3, %o3 ! IEU1
|
||||||
mov %i4, %o4 ! IEU0 Group
|
mov %i4, %o4 ! IEU0 Group
|
||||||
andcc %l0, _TIF_SYSCALL_TRACE, %g0 ! IEU1 Group+1 bubble
|
andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %g0 ! IEU1 Group+1 bubble
|
||||||
bne,pn %icc, linux_syscall_trace ! CTI Group
|
bne,pn %icc, linux_syscall_trace ! CTI Group
|
||||||
mov %i0, %l5 ! IEU0
|
mov %i0, %l5 ! IEU0
|
||||||
2: call %l7 ! CTI Group brk forced
|
2: call %l7 ! CTI Group brk forced
|
||||||
@@ -1727,7 +1727,7 @@ ret_sys_call:
|
|||||||
1:
|
1:
|
||||||
cmp %o0, -ERESTART_RESTARTBLOCK
|
cmp %o0, -ERESTART_RESTARTBLOCK
|
||||||
bgeu,pn %xcc, 1f
|
bgeu,pn %xcc, 1f
|
||||||
andcc %l0, _TIF_SYSCALL_TRACE, %l6
|
andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %l6
|
||||||
80:
|
80:
|
||||||
/* System call success, clear Carry condition code. */
|
/* System call success, clear Carry condition code. */
|
||||||
andn %g3, %g2, %g3
|
andn %g3, %g2, %g3
|
||||||
@@ -1742,7 +1742,7 @@ ret_sys_call:
|
|||||||
/* System call failure, set Carry condition code.
|
/* System call failure, set Carry condition code.
|
||||||
* Also, get abs(errno) to return to the process.
|
* Also, get abs(errno) to return to the process.
|
||||||
*/
|
*/
|
||||||
andcc %l0, _TIF_SYSCALL_TRACE, %l6
|
andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP), %l6
|
||||||
sub %g0, %o0, %o0
|
sub %g0, %o0, %o0
|
||||||
or %g3, %g2, %g3
|
or %g3, %g2, %g3
|
||||||
stx %o0, [%sp + PTREGS_OFF + PT_V9_I0]
|
stx %o0, [%sp + PTREGS_OFF + PT_V9_I0]
|
||||||
|
|||||||
@@ -4,6 +4,8 @@
|
|||||||
* Copyright (C) 1999 David S. Miller (davem@redhat.com)
|
* Copyright (C) 1999 David S. Miller (davem@redhat.com)
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#define __KERNEL_SYSCALLS__
|
||||||
|
|
||||||
#include <linux/config.h>
|
#include <linux/config.h>
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
@@ -17,7 +19,6 @@
|
|||||||
#include <asm/ebus.h>
|
#include <asm/ebus.h>
|
||||||
#include <asm/auxio.h>
|
#include <asm/auxio.h>
|
||||||
|
|
||||||
#define __KERNEL_SYSCALLS__
|
|
||||||
#include <linux/unistd.h>
|
#include <linux/unistd.h>
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@@ -630,9 +630,9 @@ out:
|
|||||||
|
|
||||||
asmlinkage void syscall_trace(void)
|
asmlinkage void syscall_trace(void)
|
||||||
{
|
{
|
||||||
#ifdef DEBUG_PTRACE
|
/* do the secure computing check first */
|
||||||
printk("%s [%d]: syscall_trace\n", current->comm, current->pid);
|
secure_computing(current_thread_info()->kregs->u_regs[UREG_G1]);
|
||||||
#endif
|
|
||||||
if (!test_thread_flag(TIF_SYSCALL_TRACE))
|
if (!test_thread_flag(TIF_SYSCALL_TRACE))
|
||||||
return;
|
return;
|
||||||
if (!(current->ptrace & PT_PTRACED))
|
if (!(current->ptrace & PT_PTRACED))
|
||||||
@@ -645,10 +645,6 @@ asmlinkage void syscall_trace(void)
|
|||||||
* for normal use. strace only continues with a signal if the
|
* for normal use. strace only continues with a signal if the
|
||||||
* stopping signal is not SIGTRAP. -brl
|
* stopping signal is not SIGTRAP. -brl
|
||||||
*/
|
*/
|
||||||
#ifdef DEBUG_PTRACE
|
|
||||||
printk("%s [%d]: syscall_trace exit= %x\n", current->comm,
|
|
||||||
current->pid, current->exit_code);
|
|
||||||
#endif
|
|
||||||
if (current->exit_code) {
|
if (current->exit_code) {
|
||||||
send_sig(current->exit_code, current, 1);
|
send_sig(current->exit_code, current, 1);
|
||||||
current->exit_code = 0;
|
current->exit_code = 0;
|
||||||
|
|||||||
@@ -220,7 +220,7 @@ register struct thread_info *current_thread_info_reg asm("g6");
|
|||||||
#define TIF_NEWSIGNALS 6 /* wants new-style signals */
|
#define TIF_NEWSIGNALS 6 /* wants new-style signals */
|
||||||
#define TIF_32BIT 7 /* 32-bit binary */
|
#define TIF_32BIT 7 /* 32-bit binary */
|
||||||
#define TIF_NEWCHILD 8 /* just-spawned child process */
|
#define TIF_NEWCHILD 8 /* just-spawned child process */
|
||||||
/* TIF_* value 9 is available */
|
#define TIF_SECCOMP 9 /* secure computing */
|
||||||
#define TIF_POLLING_NRFLAG 10
|
#define TIF_POLLING_NRFLAG 10
|
||||||
#define TIF_SYSCALL_SUCCESS 11
|
#define TIF_SYSCALL_SUCCESS 11
|
||||||
/* NOTE: Thread flags >= 12 should be ones we have no interest
|
/* NOTE: Thread flags >= 12 should be ones we have no interest
|
||||||
@@ -239,6 +239,7 @@ register struct thread_info *current_thread_info_reg asm("g6");
|
|||||||
#define _TIF_NEWSIGNALS (1<<TIF_NEWSIGNALS)
|
#define _TIF_NEWSIGNALS (1<<TIF_NEWSIGNALS)
|
||||||
#define _TIF_32BIT (1<<TIF_32BIT)
|
#define _TIF_32BIT (1<<TIF_32BIT)
|
||||||
#define _TIF_NEWCHILD (1<<TIF_NEWCHILD)
|
#define _TIF_NEWCHILD (1<<TIF_NEWCHILD)
|
||||||
|
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
|
||||||
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
|
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
|
||||||
#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
|
#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
|
||||||
#define _TIF_SYSCALL_SUCCESS (1<<TIF_SYSCALL_SUCCESS)
|
#define _TIF_SYSCALL_SUCCESS (1<<TIF_SYSCALL_SUCCESS)
|
||||||
|
|||||||
Reference in New Issue
Block a user