]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/kernel/seccomp.c | |
3 | * | |
4 | * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com> | |
5 | * | |
e2cfabdf WD |
6 | * Copyright (C) 2012 Google, Inc. |
7 | * Will Drewry <wad@chromium.org> | |
8 | * | |
9 | * This defines a simple but solid secure-computing facility. | |
10 | * | |
11 | * Mode 1 uses a fixed list of allowed system calls. | |
12 | * Mode 2 allows user-defined system call filters in the form | |
13 | * of Berkeley Packet Filters/Linux Socket Filters. | |
1da177e4 LT |
14 | */ |
15 | ||
e2cfabdf | 16 | #include <linux/atomic.h> |
85e7bac3 | 17 | #include <linux/audit.h> |
5b101740 | 18 | #include <linux/compat.h> |
aac883e7 | 19 | #include <linux/kmemleak.h> |
e2cfabdf WD |
20 | #include <linux/sched.h> |
21 | #include <linux/seccomp.h> | |
c8bee430 | 22 | #include <linux/slab.h> |
48dc92b9 | 23 | #include <linux/syscalls.h> |
aac883e7 | 24 | #include <linux/sysctl.h> |
1da177e4 | 25 | |
a4412fc9 | 26 | #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER |
e2cfabdf | 27 | #include <asm/syscall.h> |
a4412fc9 | 28 | #endif |
e2cfabdf WD |
29 | |
30 | #ifdef CONFIG_SECCOMP_FILTER | |
e2cfabdf | 31 | #include <linux/filter.h> |
c2e1f2e3 | 32 | #include <linux/pid.h> |
fb0fadf9 | 33 | #include <linux/ptrace.h> |
e2cfabdf | 34 | #include <linux/security.h> |
e2cfabdf WD |
35 | #include <linux/tracehook.h> |
36 | #include <linux/uaccess.h> | |
37 | ||
38 | /** | |
39 | * struct seccomp_filter - container for seccomp BPF programs | |
40 | * | |
41 | * @usage: reference count to manage the object lifetime. | |
42 | * get/put helpers should be used when accessing an instance | |
43 | * outside of a lifetime-guarded section. In general, this | |
44 | * is only needed for handling filters shared across tasks. | |
85438171 | 45 | * @log: true if all actions except for SECCOMP_RET_ALLOW should be logged |
e2cfabdf WD |
46 | * @prev: points to a previously installed, or inherited, filter |
47 | * @len: the number of instructions in the program | |
119ce5c8 | 48 | * @insnsi: the BPF program instructions to evaluate |
e2cfabdf WD |
49 | * |
50 | * seccomp_filter objects are organized in a tree linked via the @prev | |
51 | * pointer. For any task, it appears to be a singly-linked list starting | |
52 | * with current->seccomp.filter, the most recently attached or inherited filter. | |
53 | * However, multiple filters may share a @prev node, by way of fork(), which | |
54 | * results in a unidirectional tree existing in memory. This is similar to | |
55 | * how namespaces work. | |
56 | * | |
57 | * seccomp_filter objects should never be modified after being attached | |
58 | * to a task_struct (other than @usage). | |
59 | */ | |
60 | struct seccomp_filter { | |
61 | atomic_t usage; | |
85438171 | 62 | bool log; |
e2cfabdf | 63 | struct seccomp_filter *prev; |
7ae457c1 | 64 | struct bpf_prog *prog; |
e2cfabdf WD |
65 | }; |
66 | ||
67 | /* Limit any path through the tree to 256KB worth of instructions. */ | |
68 | #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) | |
69 | ||
bd4cf0ed | 70 | /* |
e2cfabdf WD |
71 | * Endianness is explicitly ignored and left for BPF program authors to manage |
72 | * as per the specific architecture. | |
73 | */ | |
bd4cf0ed | 74 | static void populate_seccomp_data(struct seccomp_data *sd) |
e2cfabdf | 75 | { |
bd4cf0ed AS |
76 | struct task_struct *task = current; |
77 | struct pt_regs *regs = task_pt_regs(task); | |
2eac7648 | 78 | unsigned long args[6]; |
e2cfabdf | 79 | |
bd4cf0ed | 80 | sd->nr = syscall_get_nr(task, regs); |
0b747172 | 81 | sd->arch = syscall_get_arch(); |
2eac7648 DB |
82 | syscall_get_arguments(task, regs, 0, 6, args); |
83 | sd->args[0] = args[0]; | |
84 | sd->args[1] = args[1]; | |
85 | sd->args[2] = args[2]; | |
86 | sd->args[3] = args[3]; | |
87 | sd->args[4] = args[4]; | |
88 | sd->args[5] = args[5]; | |
bd4cf0ed | 89 | sd->instruction_pointer = KSTK_EIP(task); |
e2cfabdf WD |
90 | } |
91 | ||
92 | /** | |
93 | * seccomp_check_filter - verify seccomp filter code | |
94 | * @filter: filter to verify | |
95 | * @flen: length of filter | |
96 | * | |
4df95ff4 | 97 | * Takes a previously checked filter (by bpf_check_classic) and |
e2cfabdf WD |
98 | * redirects all filter code that loads struct sk_buff data |
99 | * and related data through seccomp_bpf_load. It also | |
100 | * enforces length and alignment checking of those loads. | |
101 | * | |
102 | * Returns 0 if the rule set is legal or -EINVAL if not. | |
103 | */ | |
104 | static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen) | |
105 | { | |
106 | int pc; | |
107 | for (pc = 0; pc < flen; pc++) { | |
108 | struct sock_filter *ftest = &filter[pc]; | |
109 | u16 code = ftest->code; | |
110 | u32 k = ftest->k; | |
111 | ||
112 | switch (code) { | |
34805931 | 113 | case BPF_LD | BPF_W | BPF_ABS: |
bd4cf0ed | 114 | ftest->code = BPF_LDX | BPF_W | BPF_ABS; |
e2cfabdf WD |
115 | /* 32-bit aligned and not out of bounds. */ |
116 | if (k >= sizeof(struct seccomp_data) || k & 3) | |
117 | return -EINVAL; | |
118 | continue; | |
34805931 | 119 | case BPF_LD | BPF_W | BPF_LEN: |
bd4cf0ed | 120 | ftest->code = BPF_LD | BPF_IMM; |
e2cfabdf WD |
121 | ftest->k = sizeof(struct seccomp_data); |
122 | continue; | |
34805931 | 123 | case BPF_LDX | BPF_W | BPF_LEN: |
bd4cf0ed | 124 | ftest->code = BPF_LDX | BPF_IMM; |
e2cfabdf WD |
125 | ftest->k = sizeof(struct seccomp_data); |
126 | continue; | |
127 | /* Explicitly include allowed calls. */ | |
34805931 DB |
128 | case BPF_RET | BPF_K: |
129 | case BPF_RET | BPF_A: | |
130 | case BPF_ALU | BPF_ADD | BPF_K: | |
131 | case BPF_ALU | BPF_ADD | BPF_X: | |
132 | case BPF_ALU | BPF_SUB | BPF_K: | |
133 | case BPF_ALU | BPF_SUB | BPF_X: | |
134 | case BPF_ALU | BPF_MUL | BPF_K: | |
135 | case BPF_ALU | BPF_MUL | BPF_X: | |
136 | case BPF_ALU | BPF_DIV | BPF_K: | |
137 | case BPF_ALU | BPF_DIV | BPF_X: | |
138 | case BPF_ALU | BPF_AND | BPF_K: | |
139 | case BPF_ALU | BPF_AND | BPF_X: | |
140 | case BPF_ALU | BPF_OR | BPF_K: | |
141 | case BPF_ALU | BPF_OR | BPF_X: | |
142 | case BPF_ALU | BPF_XOR | BPF_K: | |
143 | case BPF_ALU | BPF_XOR | BPF_X: | |
144 | case BPF_ALU | BPF_LSH | BPF_K: | |
145 | case BPF_ALU | BPF_LSH | BPF_X: | |
146 | case BPF_ALU | BPF_RSH | BPF_K: | |
147 | case BPF_ALU | BPF_RSH | BPF_X: | |
148 | case BPF_ALU | BPF_NEG: | |
149 | case BPF_LD | BPF_IMM: | |
150 | case BPF_LDX | BPF_IMM: | |
151 | case BPF_MISC | BPF_TAX: | |
152 | case BPF_MISC | BPF_TXA: | |
153 | case BPF_LD | BPF_MEM: | |
154 | case BPF_LDX | BPF_MEM: | |
155 | case BPF_ST: | |
156 | case BPF_STX: | |
157 | case BPF_JMP | BPF_JA: | |
158 | case BPF_JMP | BPF_JEQ | BPF_K: | |
159 | case BPF_JMP | BPF_JEQ | BPF_X: | |
160 | case BPF_JMP | BPF_JGE | BPF_K: | |
161 | case BPF_JMP | BPF_JGE | BPF_X: | |
162 | case BPF_JMP | BPF_JGT | BPF_K: | |
163 | case BPF_JMP | BPF_JGT | BPF_X: | |
164 | case BPF_JMP | BPF_JSET | BPF_K: | |
165 | case BPF_JMP | BPF_JSET | BPF_X: | |
e2cfabdf WD |
166 | continue; |
167 | default: | |
168 | return -EINVAL; | |
169 | } | |
170 | } | |
171 | return 0; | |
172 | } | |
173 | ||
174 | /** | |
175 | * seccomp_run_filters - evaluates all seccomp filters against @syscall | |
176 | * @syscall: number of the current system call | |
806b8085 KC |
177 | * @match: stores struct seccomp_filter that resulted in the return value, |
178 | * unless filter returned SECCOMP_RET_ALLOW, in which case it will | |
179 | * be unchanged. | |
e2cfabdf WD |
180 | * |
181 | * Returns valid seccomp BPF response codes. | |
182 | */ | |
806b8085 KC |
183 | static u32 seccomp_run_filters(struct seccomp_data *sd, |
184 | struct seccomp_filter **match) | |
e2cfabdf | 185 | { |
d39bd00d | 186 | struct seccomp_data sd_local; |
acf3b2c7 | 187 | u32 ret = SECCOMP_RET_ALLOW; |
8225d385 PK |
188 | /* Make sure cross-thread synced filter points somewhere sane. */ |
189 | struct seccomp_filter *f = | |
190 | lockless_dereference(current->seccomp.filter); | |
acf3b2c7 WD |
191 | |
192 | /* Ensure unexpected behavior doesn't result in failing open. */ | |
3ba2530c | 193 | if (unlikely(WARN_ON(f == NULL))) |
acf3b2c7 WD |
194 | return SECCOMP_RET_KILL; |
195 | ||
d39bd00d AL |
196 | if (!sd) { |
197 | populate_seccomp_data(&sd_local); | |
198 | sd = &sd_local; | |
199 | } | |
bd4cf0ed | 200 | |
e2cfabdf WD |
201 | /* |
202 | * All filters in the list are evaluated and the lowest BPF return | |
acf3b2c7 | 203 | * value always takes priority (ignoring the DATA). |
e2cfabdf | 204 | */ |
3ba2530c | 205 | for (; f; f = f->prev) { |
d39bd00d | 206 | u32 cur_ret = BPF_PROG_RUN(f->prog, (void *)sd); |
8f577cad | 207 | |
806b8085 | 208 | if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION)) { |
acf3b2c7 | 209 | ret = cur_ret; |
806b8085 KC |
210 | *match = f; |
211 | } | |
e2cfabdf WD |
212 | } |
213 | return ret; | |
214 | } | |
1f41b450 | 215 | #endif /* CONFIG_SECCOMP_FILTER */ |
e2cfabdf | 216 | |
1f41b450 KC |
217 | static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) |
218 | { | |
69f6a34b | 219 | assert_spin_locked(¤t->sighand->siglock); |
dbd95212 | 220 | |
1f41b450 KC |
221 | if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) |
222 | return false; | |
223 | ||
224 | return true; | |
225 | } | |
226 | ||
3ba2530c KC |
227 | static inline void seccomp_assign_mode(struct task_struct *task, |
228 | unsigned long seccomp_mode) | |
1f41b450 | 229 | { |
69f6a34b | 230 | assert_spin_locked(&task->sighand->siglock); |
dbd95212 | 231 | |
3ba2530c KC |
232 | task->seccomp.mode = seccomp_mode; |
233 | /* | |
234 | * Make sure TIF_SECCOMP cannot be set before the mode (and | |
235 | * filter) is set. | |
236 | */ | |
237 | smp_mb__before_atomic(); | |
238 | set_tsk_thread_flag(task, TIF_SECCOMP); | |
1f41b450 KC |
239 | } |
240 | ||
241 | #ifdef CONFIG_SECCOMP_FILTER | |
c2e1f2e3 KC |
242 | /* Returns 1 if the parent is an ancestor of the child. */ |
243 | static int is_ancestor(struct seccomp_filter *parent, | |
244 | struct seccomp_filter *child) | |
245 | { | |
246 | /* NULL is the root ancestor. */ | |
247 | if (parent == NULL) | |
248 | return 1; | |
249 | for (; child; child = child->prev) | |
250 | if (child == parent) | |
251 | return 1; | |
252 | return 0; | |
253 | } | |
254 | ||
255 | /** | |
256 | * seccomp_can_sync_threads: checks if all threads can be synchronized | |
257 | * | |
258 | * Expects sighand and cred_guard_mutex locks to be held. | |
259 | * | |
260 | * Returns 0 on success, -ve on error, or the pid of a thread which was | |
261 | * either not in the correct seccomp mode or it did not have an ancestral | |
262 | * seccomp filter. | |
263 | */ | |
264 | static inline pid_t seccomp_can_sync_threads(void) | |
265 | { | |
266 | struct task_struct *thread, *caller; | |
267 | ||
268 | BUG_ON(!mutex_is_locked(¤t->signal->cred_guard_mutex)); | |
69f6a34b | 269 | assert_spin_locked(¤t->sighand->siglock); |
c2e1f2e3 KC |
270 | |
271 | /* Validate all threads being eligible for synchronization. */ | |
272 | caller = current; | |
273 | for_each_thread(caller, thread) { | |
274 | pid_t failed; | |
275 | ||
276 | /* Skip current, since it is initiating the sync. */ | |
277 | if (thread == caller) | |
278 | continue; | |
279 | ||
280 | if (thread->seccomp.mode == SECCOMP_MODE_DISABLED || | |
281 | (thread->seccomp.mode == SECCOMP_MODE_FILTER && | |
282 | is_ancestor(thread->seccomp.filter, | |
283 | caller->seccomp.filter))) | |
284 | continue; | |
285 | ||
286 | /* Return the first thread that cannot be synchronized. */ | |
287 | failed = task_pid_vnr(thread); | |
288 | /* If the pid cannot be resolved, then return -ESRCH */ | |
289 | if (unlikely(WARN_ON(failed == 0))) | |
290 | failed = -ESRCH; | |
291 | return failed; | |
292 | } | |
293 | ||
294 | return 0; | |
295 | } | |
296 | ||
297 | /** | |
298 | * seccomp_sync_threads: sets all threads to use current's filter | |
299 | * | |
300 | * Expects sighand and cred_guard_mutex locks to be held, and for | |
301 | * seccomp_can_sync_threads() to have returned success already | |
302 | * without dropping the locks. | |
303 | * | |
304 | */ | |
305 | static inline void seccomp_sync_threads(void) | |
306 | { | |
307 | struct task_struct *thread, *caller; | |
308 | ||
309 | BUG_ON(!mutex_is_locked(¤t->signal->cred_guard_mutex)); | |
69f6a34b | 310 | assert_spin_locked(¤t->sighand->siglock); |
c2e1f2e3 KC |
311 | |
312 | /* Synchronize all threads. */ | |
313 | caller = current; | |
314 | for_each_thread(caller, thread) { | |
315 | /* Skip current, since it needs no changes. */ | |
316 | if (thread == caller) | |
317 | continue; | |
318 | ||
319 | /* Get a task reference for the new leaf node. */ | |
320 | get_seccomp_filter(caller); | |
321 | /* | |
322 | * Drop the task reference to the shared ancestor since | |
323 | * current's path will hold a reference. (This also | |
324 | * allows a put before the assignment.) | |
325 | */ | |
326 | put_seccomp_filter(thread); | |
327 | smp_store_release(&thread->seccomp.filter, | |
328 | caller->seccomp.filter); | |
95a9c620 JH |
329 | |
330 | /* | |
331 | * Don't let an unprivileged task work around | |
332 | * the no_new_privs restriction by creating | |
333 | * a thread that sets it up, enters seccomp, | |
334 | * then dies. | |
335 | */ | |
336 | if (task_no_new_privs(caller)) | |
337 | task_set_no_new_privs(thread); | |
338 | ||
c2e1f2e3 KC |
339 | /* |
340 | * Opt the other thread into seccomp if needed. | |
341 | * As threads are considered to be trust-realm | |
342 | * equivalent (see ptrace_may_access), it is safe to | |
343 | * allow one thread to transition the other. | |
344 | */ | |
95a9c620 | 345 | if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) |
c2e1f2e3 | 346 | seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); |
c2e1f2e3 KC |
347 | } |
348 | } | |
349 | ||
e2cfabdf | 350 | /** |
c8bee430 | 351 | * seccomp_prepare_filter: Prepares a seccomp filter for use. |
e2cfabdf WD |
352 | * @fprog: BPF program to install |
353 | * | |
c8bee430 | 354 | * Returns filter on success or an ERR_PTR on failure. |
e2cfabdf | 355 | */ |
c8bee430 | 356 | static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) |
e2cfabdf | 357 | { |
ac67eb2c DB |
358 | struct seccomp_filter *sfilter; |
359 | int ret; | |
f8e529ed | 360 | const bool save_orig = config_enabled(CONFIG_CHECKPOINT_RESTORE); |
e2cfabdf WD |
361 | |
362 | if (fprog->len == 0 || fprog->len > BPF_MAXINSNS) | |
c8bee430 | 363 | return ERR_PTR(-EINVAL); |
d9e12f42 | 364 | |
c8bee430 | 365 | BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter)); |
e2cfabdf WD |
366 | |
367 | /* | |
119ce5c8 | 368 | * Installing a seccomp filter requires that the task has |
e2cfabdf WD |
369 | * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. |
370 | * This avoids scenarios where unprivileged tasks can affect the | |
371 | * behavior of privileged children. | |
372 | */ | |
1d4457f9 | 373 | if (!task_no_new_privs(current) && |
e2cfabdf WD |
374 | security_capable_noaudit(current_cred(), current_user_ns(), |
375 | CAP_SYS_ADMIN) != 0) | |
c8bee430 | 376 | return ERR_PTR(-EACCES); |
e2cfabdf | 377 | |
bd4cf0ed | 378 | /* Allocate a new seccomp_filter */ |
ac67eb2c DB |
379 | sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); |
380 | if (!sfilter) | |
d9e12f42 | 381 | return ERR_PTR(-ENOMEM); |
ac67eb2c DB |
382 | |
383 | ret = bpf_prog_create_from_user(&sfilter->prog, fprog, | |
f8e529ed | 384 | seccomp_check_filter, save_orig); |
ac67eb2c DB |
385 | if (ret < 0) { |
386 | kfree(sfilter); | |
387 | return ERR_PTR(ret); | |
d9e12f42 | 388 | } |
bd4cf0ed | 389 | |
ac67eb2c | 390 | atomic_set(&sfilter->usage, 1); |
e2cfabdf | 391 | |
ac67eb2c | 392 | return sfilter; |
e2cfabdf WD |
393 | } |
394 | ||
395 | /** | |
c8bee430 | 396 | * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog |
e2cfabdf WD |
397 | * @user_filter: pointer to the user data containing a sock_fprog. |
398 | * | |
399 | * Returns 0 on success and non-zero otherwise. | |
400 | */ | |
c8bee430 KC |
401 | static struct seccomp_filter * |
402 | seccomp_prepare_user_filter(const char __user *user_filter) | |
e2cfabdf WD |
403 | { |
404 | struct sock_fprog fprog; | |
c8bee430 | 405 | struct seccomp_filter *filter = ERR_PTR(-EFAULT); |
e2cfabdf WD |
406 | |
407 | #ifdef CONFIG_COMPAT | |
408 | if (is_compat_task()) { | |
409 | struct compat_sock_fprog fprog32; | |
410 | if (copy_from_user(&fprog32, user_filter, sizeof(fprog32))) | |
411 | goto out; | |
412 | fprog.len = fprog32.len; | |
413 | fprog.filter = compat_ptr(fprog32.filter); | |
414 | } else /* falls through to the if below. */ | |
415 | #endif | |
416 | if (copy_from_user(&fprog, user_filter, sizeof(fprog))) | |
417 | goto out; | |
c8bee430 | 418 | filter = seccomp_prepare_filter(&fprog); |
e2cfabdf | 419 | out: |
c8bee430 KC |
420 | return filter; |
421 | } | |
422 | ||
423 | /** | |
424 | * seccomp_attach_filter: validate and attach filter | |
425 | * @flags: flags to change filter behavior | |
426 | * @filter: seccomp filter to add to the current process | |
427 | * | |
dbd95212 KC |
428 | * Caller must be holding current->sighand->siglock lock. |
429 | * | |
c8bee430 KC |
430 | * Returns 0 on success, -ve on error. |
431 | */ | |
432 | static long seccomp_attach_filter(unsigned int flags, | |
433 | struct seccomp_filter *filter) | |
434 | { | |
435 | unsigned long total_insns; | |
436 | struct seccomp_filter *walker; | |
437 | ||
69f6a34b | 438 | assert_spin_locked(¤t->sighand->siglock); |
dbd95212 | 439 | |
c8bee430 KC |
440 | /* Validate resulting filter length. */ |
441 | total_insns = filter->prog->len; | |
442 | for (walker = current->seccomp.filter; walker; walker = walker->prev) | |
443 | total_insns += walker->prog->len + 4; /* 4 instr penalty */ | |
444 | if (total_insns > MAX_INSNS_PER_PATH) | |
445 | return -ENOMEM; | |
446 | ||
c2e1f2e3 KC |
447 | /* If thread sync has been requested, check that it is possible. */ |
448 | if (flags & SECCOMP_FILTER_FLAG_TSYNC) { | |
449 | int ret; | |
450 | ||
451 | ret = seccomp_can_sync_threads(); | |
452 | if (ret) | |
453 | return ret; | |
454 | } | |
455 | ||
85438171 TH |
456 | /* Set log flag, if present. */ |
457 | if (flags & SECCOMP_FILTER_FLAG_LOG) | |
458 | filter->log = true; | |
459 | ||
c8bee430 KC |
460 | /* |
461 | * If there is an existing filter, make it the prev and don't drop its | |
462 | * task reference. | |
463 | */ | |
464 | filter->prev = current->seccomp.filter; | |
465 | current->seccomp.filter = filter; | |
466 | ||
c2e1f2e3 KC |
467 | /* Now that the new filter is in place, synchronize to all threads. */ |
468 | if (flags & SECCOMP_FILTER_FLAG_TSYNC) | |
469 | seccomp_sync_threads(); | |
470 | ||
c8bee430 | 471 | return 0; |
e2cfabdf WD |
472 | } |
473 | ||
236de4e6 ON |
474 | void __get_seccomp_filter(struct seccomp_filter *filter) |
475 | { | |
476 | /* Reference count is bounded by the number of total processes. */ | |
477 | atomic_inc(&filter->usage); | |
478 | } | |
479 | ||
e2cfabdf WD |
480 | /* get_seccomp_filter - increments the reference count of the filter on @tsk */ |
481 | void get_seccomp_filter(struct task_struct *tsk) | |
482 | { | |
483 | struct seccomp_filter *orig = tsk->seccomp.filter; | |
484 | if (!orig) | |
485 | return; | |
236de4e6 | 486 | __get_seccomp_filter(orig); |
e2cfabdf WD |
487 | } |
488 | ||
c8bee430 KC |
489 | static inline void seccomp_filter_free(struct seccomp_filter *filter) |
490 | { | |
491 | if (filter) { | |
bab18991 | 492 | bpf_prog_destroy(filter->prog); |
c8bee430 KC |
493 | kfree(filter); |
494 | } | |
495 | } | |
496 | ||
236de4e6 | 497 | static void __put_seccomp_filter(struct seccomp_filter *orig) |
e2cfabdf | 498 | { |
e2cfabdf WD |
499 | /* Clean up single-reference branches iteratively. */ |
500 | while (orig && atomic_dec_and_test(&orig->usage)) { | |
501 | struct seccomp_filter *freeme = orig; | |
502 | orig = orig->prev; | |
c8bee430 | 503 | seccomp_filter_free(freeme); |
e2cfabdf WD |
504 | } |
505 | } | |
bb6ea430 | 506 | |
236de4e6 ON |
507 | /* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */ |
508 | void put_seccomp_filter(struct task_struct *tsk) | |
509 | { | |
510 | __put_seccomp_filter(tsk->seccomp.filter); | |
511 | } | |
512 | ||
bb6ea430 WD |
513 | /** |
514 | * seccomp_send_sigsys - signals the task to allow in-process syscall emulation | |
515 | * @syscall: syscall number to send to userland | |
516 | * @reason: filter-supplied reason code to send to userland (via si_errno) | |
517 | * | |
518 | * Forces a SIGSYS with a code of SYS_SECCOMP and related sigsys info. | |
519 | */ | |
520 | static void seccomp_send_sigsys(int syscall, int reason) | |
521 | { | |
522 | struct siginfo info; | |
523 | memset(&info, 0, sizeof(info)); | |
524 | info.si_signo = SIGSYS; | |
525 | info.si_code = SYS_SECCOMP; | |
526 | info.si_call_addr = (void __user *)KSTK_EIP(current); | |
527 | info.si_errno = reason; | |
5e937a9a | 528 | info.si_arch = syscall_get_arch(); |
bb6ea430 WD |
529 | info.si_syscall = syscall; |
530 | force_sig_info(SIGSYS, &info, current); | |
531 | } | |
e2cfabdf | 532 | #endif /* CONFIG_SECCOMP_FILTER */ |
1da177e4 | 533 | |
c8a22a5f TH |
534 | /* For use with seccomp_actions_logged */ |
535 | #define SECCOMP_LOG_KILL (1 << 0) | |
536 | #define SECCOMP_LOG_TRAP (1 << 2) | |
537 | #define SECCOMP_LOG_ERRNO (1 << 3) | |
538 | #define SECCOMP_LOG_TRACE (1 << 4) | |
539 | #define SECCOMP_LOG_ALLOW (1 << 5) | |
540 | ||
541 | static u32 seccomp_actions_logged = SECCOMP_LOG_KILL | SECCOMP_LOG_TRAP | | |
542 | SECCOMP_LOG_ERRNO | SECCOMP_LOG_TRACE; | |
543 | ||
85438171 TH |
544 | static inline void seccomp_log(unsigned long syscall, long signr, u32 action, |
545 | bool requested) | |
c8a22a5f TH |
546 | { |
547 | bool log = false; | |
548 | ||
549 | switch (action) { | |
550 | case SECCOMP_RET_ALLOW: | |
85438171 | 551 | break; |
c8a22a5f | 552 | case SECCOMP_RET_TRAP: |
85438171 TH |
553 | log = requested && seccomp_actions_logged & SECCOMP_LOG_TRAP; |
554 | break; | |
c8a22a5f | 555 | case SECCOMP_RET_ERRNO: |
85438171 TH |
556 | log = requested && seccomp_actions_logged & SECCOMP_LOG_ERRNO; |
557 | break; | |
c8a22a5f | 558 | case SECCOMP_RET_TRACE: |
85438171 | 559 | log = requested && seccomp_actions_logged & SECCOMP_LOG_TRACE; |
c8a22a5f TH |
560 | break; |
561 | case SECCOMP_RET_KILL: | |
562 | default: | |
563 | log = seccomp_actions_logged & SECCOMP_LOG_KILL; | |
564 | } | |
565 | ||
566 | /* | |
85438171 TH |
567 | * Force an audit message to be emitted when the action is RET_KILL or |
568 | * the FILTER_FLAG_LOG bit was set and the action is allowed to be | |
569 | * logged by the admin. | |
c8a22a5f TH |
570 | */ |
571 | if (log) | |
572 | return __audit_seccomp(syscall, signr, action); | |
573 | ||
574 | /* | |
575 | * Let the audit subsystem decide if the action should be audited based | |
576 | * on whether the current task itself is being audited. | |
577 | */ | |
578 | return audit_seccomp(syscall, signr, action); | |
579 | } | |
580 | ||
1da177e4 LT |
581 | /* |
582 | * Secure computing mode 1 allows only read/write/exit/sigreturn. | |
583 | * To be fully secure this must be combined with rlimit | |
584 | * to limit the stack allocations too. | |
585 | */ | |
586 | static int mode1_syscalls[] = { | |
587 | __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn, | |
588 | 0, /* null terminated */ | |
589 | }; | |
590 | ||
5b101740 | 591 | #ifdef CONFIG_COMPAT |
1da177e4 LT |
592 | static int mode1_syscalls_32[] = { |
593 | __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32, | |
594 | 0, /* null terminated */ | |
595 | }; | |
596 | #endif | |
597 | ||
a4412fc9 | 598 | static void __secure_computing_strict(int this_syscall) |
1da177e4 | 599 | { |
a4412fc9 AL |
600 | int *syscall_whitelist = mode1_syscalls; |
601 | #ifdef CONFIG_COMPAT | |
602 | if (is_compat_task()) | |
603 | syscall_whitelist = mode1_syscalls_32; | |
604 | #endif | |
605 | do { | |
606 | if (*syscall_whitelist == this_syscall) | |
607 | return; | |
608 | } while (*++syscall_whitelist); | |
609 | ||
610 | #ifdef SECCOMP_DEBUG | |
611 | dump_stack(); | |
612 | #endif | |
85438171 | 613 | seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL, true); |
a4412fc9 AL |
614 | do_exit(SIGKILL); |
615 | } | |
616 | ||
617 | #ifndef CONFIG_HAVE_ARCH_SECCOMP_FILTER | |
618 | void secure_computing_strict(int this_syscall) | |
619 | { | |
620 | int mode = current->seccomp.mode; | |
621 | ||
13c4a901 TA |
622 | if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && |
623 | unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) | |
624 | return; | |
625 | ||
221272f9 | 626 | if (mode == SECCOMP_MODE_DISABLED) |
a4412fc9 AL |
627 | return; |
628 | else if (mode == SECCOMP_MODE_STRICT) | |
629 | __secure_computing_strict(this_syscall); | |
630 | else | |
631 | BUG(); | |
632 | } | |
633 | #else | |
634 | int __secure_computing(void) | |
635 | { | |
d39bd00d | 636 | u32 phase1_result = seccomp_phase1(NULL); |
13aa72f0 AL |
637 | |
638 | if (likely(phase1_result == SECCOMP_PHASE1_OK)) | |
639 | return 0; | |
640 | else if (likely(phase1_result == SECCOMP_PHASE1_SKIP)) | |
641 | return -1; | |
642 | else | |
643 | return seccomp_phase2(phase1_result); | |
644 | } | |
645 | ||
646 | #ifdef CONFIG_SECCOMP_FILTER | |
d39bd00d | 647 | static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) |
13aa72f0 AL |
648 | { |
649 | u32 filter_ret, action; | |
806b8085 | 650 | struct seccomp_filter *match = NULL; |
13aa72f0 | 651 | int data; |
1da177e4 | 652 | |
3ba2530c KC |
653 | /* |
654 | * Make sure that any changes to mode from another thread have | |
655 | * been seen after TIF_SECCOMP was seen. | |
656 | */ | |
657 | rmb(); | |
658 | ||
806b8085 | 659 | filter_ret = seccomp_run_filters(sd, &match); |
13aa72f0 AL |
660 | data = filter_ret & SECCOMP_RET_DATA; |
661 | action = filter_ret & SECCOMP_RET_ACTION; | |
662 | ||
663 | switch (action) { | |
664 | case SECCOMP_RET_ERRNO: | |
580c57f1 KC |
665 | /* Set low-order bits as an errno, capped at MAX_ERRNO. */ |
666 | if (data > MAX_ERRNO) | |
667 | data = MAX_ERRNO; | |
d39bd00d | 668 | syscall_set_return_value(current, task_pt_regs(current), |
13aa72f0 AL |
669 | -data, 0); |
670 | goto skip; | |
671 | ||
672 | case SECCOMP_RET_TRAP: | |
673 | /* Show the handler the original registers. */ | |
d39bd00d | 674 | syscall_rollback(current, task_pt_regs(current)); |
13aa72f0 AL |
675 | /* Let the filter pass back 16 bits of data. */ |
676 | seccomp_send_sigsys(this_syscall, data); | |
677 | goto skip; | |
678 | ||
679 | case SECCOMP_RET_TRACE: | |
680 | return filter_ret; /* Save the rest for phase 2. */ | |
681 | ||
682 | case SECCOMP_RET_ALLOW: | |
806b8085 KC |
683 | /* |
684 | * Note that the "match" filter will always be NULL for | |
685 | * this action since SECCOMP_RET_ALLOW is the starting | |
686 | * state in seccomp_run_filters(). | |
687 | */ | |
13aa72f0 AL |
688 | return SECCOMP_PHASE1_OK; |
689 | ||
690 | case SECCOMP_RET_KILL: | |
691 | default: | |
85438171 | 692 | seccomp_log(this_syscall, SIGSYS, action, true); |
13aa72f0 AL |
693 | do_exit(SIGSYS); |
694 | } | |
695 | ||
696 | unreachable(); | |
697 | ||
698 | skip: | |
85438171 | 699 | seccomp_log(this_syscall, 0, action, match ? match->log : false); |
13aa72f0 AL |
700 | return SECCOMP_PHASE1_SKIP; |
701 | } | |
1da177e4 | 702 | #endif |
13aa72f0 AL |
703 | |
704 | /** | |
705 | * seccomp_phase1() - run fast path seccomp checks on the current syscall | |
d39bd00d | 706 | * @arg sd: The seccomp_data or NULL |
13aa72f0 AL |
707 | * |
708 | * This only reads pt_regs via the syscall_xyz helpers. The only change | |
709 | * it will make to pt_regs is via syscall_set_return_value, and it will | |
710 | * only do that if it returns SECCOMP_PHASE1_SKIP. | |
711 | * | |
d39bd00d AL |
712 | * If sd is provided, it will not read pt_regs at all. |
713 | * | |
13aa72f0 AL |
714 | * It may also call do_exit or force a signal; these actions must be |
715 | * safe. | |
716 | * | |
717 | * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should | |
718 | * be processed normally. | |
719 | * | |
720 | * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be | |
721 | * invoked. In this case, seccomp_phase1 will have set the return value | |
722 | * using syscall_set_return_value. | |
723 | * | |
724 | * If it returns anything else, then the return value should be passed | |
725 | * to seccomp_phase2 from a context in which ptrace hooks are safe. | |
726 | */ | |
d39bd00d | 727 | u32 seccomp_phase1(struct seccomp_data *sd) |
13aa72f0 AL |
728 | { |
729 | int mode = current->seccomp.mode; | |
d39bd00d AL |
730 | int this_syscall = sd ? sd->nr : |
731 | syscall_get_nr(current, task_pt_regs(current)); | |
13aa72f0 | 732 | |
13c4a901 TA |
733 | if (config_enabled(CONFIG_CHECKPOINT_RESTORE) && |
734 | unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) | |
735 | return SECCOMP_PHASE1_OK; | |
736 | ||
13aa72f0 | 737 | switch (mode) { |
e2cfabdf | 738 | case SECCOMP_MODE_STRICT: |
13aa72f0 AL |
739 | __secure_computing_strict(this_syscall); /* may call do_exit */ |
740 | return SECCOMP_PHASE1_OK; | |
e2cfabdf | 741 | #ifdef CONFIG_SECCOMP_FILTER |
13aa72f0 | 742 | case SECCOMP_MODE_FILTER: |
d39bd00d | 743 | return __seccomp_phase1_filter(this_syscall, sd); |
e2cfabdf | 744 | #endif |
1da177e4 LT |
745 | default: |
746 | BUG(); | |
747 | } | |
13aa72f0 | 748 | } |
1da177e4 | 749 | |
13aa72f0 AL |
750 | /** |
751 | * seccomp_phase2() - finish slow path seccomp work for the current syscall | |
752 | * @phase1_result: The return value from seccomp_phase1() | |
753 | * | |
754 | * This must be called from a context in which ptrace hooks can be used. | |
755 | * | |
756 | * Returns 0 if the syscall should be processed or -1 to skip the syscall. | |
757 | */ | |
758 | int seccomp_phase2(u32 phase1_result) | |
759 | { | |
760 | struct pt_regs *regs = task_pt_regs(current); | |
761 | u32 action = phase1_result & SECCOMP_RET_ACTION; | |
762 | int data = phase1_result & SECCOMP_RET_DATA; | |
763 | ||
764 | BUG_ON(action != SECCOMP_RET_TRACE); | |
765 | ||
85438171 TH |
766 | /* We don't have access to the filter that was matched in the phase1 |
767 | * stage in order to know if logging was requested when the filter was | |
768 | * loaded. Logging for SECCOMP_RET_TRACE isn't particularly useful so | |
769 | * hard-coding the _requested_ parameter of seccomp_log() to 'false' | |
770 | * will suffice for this backport. | |
771 | */ | |
772 | seccomp_log(syscall_get_nr(current, regs), 0, action, false); | |
13aa72f0 AL |
773 | |
774 | /* Skip these calls if there is no tracer. */ | |
775 | if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) { | |
776 | syscall_set_return_value(current, regs, | |
777 | -ENOSYS, 0); | |
778 | return -1; | |
779 | } | |
780 | ||
781 | /* Allow the BPF to provide the event message */ | |
782 | ptrace_event(PTRACE_EVENT_SECCOMP, data); | |
783 | /* | |
784 | * The delivery of a fatal signal during event | |
785 | * notification may silently skip tracer notification. | |
786 | * Terminating the task now avoids executing a system | |
787 | * call that may not be intended. | |
788 | */ | |
789 | if (fatal_signal_pending(current)) | |
790 | do_exit(SIGSYS); | |
791 | if (syscall_get_nr(current, regs) < 0) | |
792 | return -1; /* Explicit request to skip. */ | |
793 | ||
794 | return 0; | |
1da177e4 | 795 | } |
a4412fc9 | 796 | #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */ |
1d9d02fe AA |
797 | |
798 | long prctl_get_seccomp(void) | |
799 | { | |
800 | return current->seccomp.mode; | |
801 | } | |
802 | ||
e2cfabdf | 803 | /** |
3b23dd12 | 804 | * seccomp_set_mode_strict: internal function for setting strict seccomp |
e2cfabdf WD |
805 | * |
806 | * Once current->seccomp.mode is non-zero, it may not be changed. | |
807 | * | |
808 | * Returns 0 on success or -EINVAL on failure. | |
809 | */ | |
3b23dd12 | 810 | static long seccomp_set_mode_strict(void) |
1d9d02fe | 811 | { |
3b23dd12 | 812 | const unsigned long seccomp_mode = SECCOMP_MODE_STRICT; |
e2cfabdf | 813 | long ret = -EINVAL; |
1d9d02fe | 814 | |
dbd95212 KC |
815 | spin_lock_irq(¤t->sighand->siglock); |
816 | ||
1f41b450 | 817 | if (!seccomp_may_assign_mode(seccomp_mode)) |
1d9d02fe AA |
818 | goto out; |
819 | ||
cf99abac | 820 | #ifdef TIF_NOTSC |
3b23dd12 | 821 | disable_TSC(); |
cf99abac | 822 | #endif |
3ba2530c | 823 | seccomp_assign_mode(current, seccomp_mode); |
3b23dd12 KC |
824 | ret = 0; |
825 | ||
826 | out: | |
dbd95212 | 827 | spin_unlock_irq(¤t->sighand->siglock); |
3b23dd12 KC |
828 | |
829 | return ret; | |
830 | } | |
831 | ||
e2cfabdf | 832 | #ifdef CONFIG_SECCOMP_FILTER |
3b23dd12 KC |
833 | /** |
834 | * seccomp_set_mode_filter: internal function for setting seccomp filter | |
48dc92b9 | 835 | * @flags: flags to change filter behavior |
3b23dd12 KC |
836 | * @filter: struct sock_fprog containing filter |
837 | * | |
838 | * This function may be called repeatedly to install additional filters. | |
839 | * Every filter successfully installed will be evaluated (in reverse order) | |
840 | * for each system call the task makes. | |
841 | * | |
842 | * Once current->seccomp.mode is non-zero, it may not be changed. | |
843 | * | |
844 | * Returns 0 on success or -EINVAL on failure. | |
845 | */ | |
48dc92b9 KC |
846 | static long seccomp_set_mode_filter(unsigned int flags, |
847 | const char __user *filter) | |
3b23dd12 KC |
848 | { |
849 | const unsigned long seccomp_mode = SECCOMP_MODE_FILTER; | |
c8bee430 | 850 | struct seccomp_filter *prepared = NULL; |
3b23dd12 KC |
851 | long ret = -EINVAL; |
852 | ||
48dc92b9 | 853 | /* Validate flags. */ |
c2e1f2e3 | 854 | if (flags & ~SECCOMP_FILTER_FLAG_MASK) |
dbd95212 | 855 | return -EINVAL; |
48dc92b9 | 856 | |
c8bee430 KC |
857 | /* Prepare the new filter before holding any locks. */ |
858 | prepared = seccomp_prepare_user_filter(filter); | |
859 | if (IS_ERR(prepared)) | |
860 | return PTR_ERR(prepared); | |
861 | ||
c2e1f2e3 KC |
862 | /* |
863 | * Make sure we cannot change seccomp or nnp state via TSYNC | |
864 | * while another thread is in the middle of calling exec. | |
865 | */ | |
866 | if (flags & SECCOMP_FILTER_FLAG_TSYNC && | |
867 | mutex_lock_killable(¤t->signal->cred_guard_mutex)) | |
868 | goto out_free; | |
869 | ||
dbd95212 KC |
870 | spin_lock_irq(¤t->sighand->siglock); |
871 | ||
3b23dd12 KC |
872 | if (!seccomp_may_assign_mode(seccomp_mode)) |
873 | goto out; | |
874 | ||
c8bee430 | 875 | ret = seccomp_attach_filter(flags, prepared); |
3b23dd12 | 876 | if (ret) |
e2cfabdf | 877 | goto out; |
c8bee430 KC |
878 | /* Do not free the successfully attached filter. */ |
879 | prepared = NULL; | |
1d9d02fe | 880 | |
3ba2530c | 881 | seccomp_assign_mode(current, seccomp_mode); |
e2cfabdf | 882 | out: |
dbd95212 | 883 | spin_unlock_irq(¤t->sighand->siglock); |
c2e1f2e3 KC |
884 | if (flags & SECCOMP_FILTER_FLAG_TSYNC) |
885 | mutex_unlock(¤t->signal->cred_guard_mutex); | |
886 | out_free: | |
c8bee430 | 887 | seccomp_filter_free(prepared); |
1d9d02fe AA |
888 | return ret; |
889 | } | |
3b23dd12 | 890 | #else |
48dc92b9 KC |
891 | static inline long seccomp_set_mode_filter(unsigned int flags, |
892 | const char __user *filter) | |
3b23dd12 KC |
893 | { |
894 | return -EINVAL; | |
895 | } | |
896 | #endif | |
d78ab02c | 897 | |
4ae31a2f TH |
898 | static long seccomp_get_action_avail(const char __user *uaction) |
899 | { | |
900 | u32 action; | |
901 | ||
902 | if (copy_from_user(&action, uaction, sizeof(action))) | |
903 | return -EFAULT; | |
904 | ||
905 | switch (action) { | |
906 | case SECCOMP_RET_KILL: | |
907 | case SECCOMP_RET_TRAP: | |
908 | case SECCOMP_RET_ERRNO: | |
909 | case SECCOMP_RET_TRACE: | |
910 | case SECCOMP_RET_ALLOW: | |
911 | break; | |
912 | default: | |
913 | return -EOPNOTSUPP; | |
914 | } | |
915 | ||
916 | return 0; | |
917 | } | |
918 | ||
48dc92b9 KC |
919 | /* Common entry point for both prctl and syscall. */ |
920 | static long do_seccomp(unsigned int op, unsigned int flags, | |
921 | const char __user *uargs) | |
922 | { | |
923 | switch (op) { | |
924 | case SECCOMP_SET_MODE_STRICT: | |
925 | if (flags != 0 || uargs != NULL) | |
926 | return -EINVAL; | |
927 | return seccomp_set_mode_strict(); | |
928 | case SECCOMP_SET_MODE_FILTER: | |
929 | return seccomp_set_mode_filter(flags, uargs); | |
4ae31a2f TH |
930 | case SECCOMP_GET_ACTION_AVAIL: |
931 | if (flags != 0) | |
932 | return -EINVAL; | |
933 | ||
934 | return seccomp_get_action_avail(uargs); | |
48dc92b9 KC |
935 | default: |
936 | return -EINVAL; | |
937 | } | |
938 | } | |
939 | ||
940 | SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags, | |
941 | const char __user *, uargs) | |
942 | { | |
943 | return do_seccomp(op, flags, uargs); | |
944 | } | |
945 | ||
d78ab02c KC |
946 | /** |
947 | * prctl_set_seccomp: configures current->seccomp.mode | |
948 | * @seccomp_mode: requested mode to use | |
949 | * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER | |
950 | * | |
951 | * Returns 0 on success or -EINVAL on failure. | |
952 | */ | |
953 | long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter) | |
954 | { | |
48dc92b9 KC |
955 | unsigned int op; |
956 | char __user *uargs; | |
957 | ||
3b23dd12 KC |
958 | switch (seccomp_mode) { |
959 | case SECCOMP_MODE_STRICT: | |
48dc92b9 KC |
960 | op = SECCOMP_SET_MODE_STRICT; |
961 | /* | |
962 | * Setting strict mode through prctl always ignored filter, | |
963 | * so make sure it is always NULL here to pass the internal | |
964 | * check in do_seccomp(). | |
965 | */ | |
966 | uargs = NULL; | |
967 | break; | |
3b23dd12 | 968 | case SECCOMP_MODE_FILTER: |
48dc92b9 KC |
969 | op = SECCOMP_SET_MODE_FILTER; |
970 | uargs = filter; | |
971 | break; | |
3b23dd12 KC |
972 | default: |
973 | return -EINVAL; | |
974 | } | |
48dc92b9 KC |
975 | |
976 | /* prctl interface doesn't have flags, so they are always zero. */ | |
977 | return do_seccomp(op, 0, uargs); | |
d78ab02c | 978 | } |
f8e529ed TA |
979 | |
980 | #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) | |
981 | long seccomp_get_filter(struct task_struct *task, unsigned long filter_off, | |
982 | void __user *data) | |
983 | { | |
984 | struct seccomp_filter *filter; | |
985 | struct sock_fprog_kern *fprog; | |
986 | long ret; | |
987 | unsigned long count = 0; | |
988 | ||
989 | if (!capable(CAP_SYS_ADMIN) || | |
990 | current->seccomp.mode != SECCOMP_MODE_DISABLED) { | |
991 | return -EACCES; | |
992 | } | |
993 | ||
994 | spin_lock_irq(&task->sighand->siglock); | |
995 | if (task->seccomp.mode != SECCOMP_MODE_FILTER) { | |
996 | ret = -EINVAL; | |
997 | goto out; | |
998 | } | |
999 | ||
1000 | filter = task->seccomp.filter; | |
1001 | while (filter) { | |
1002 | filter = filter->prev; | |
1003 | count++; | |
1004 | } | |
1005 | ||
1006 | if (filter_off >= count) { | |
1007 | ret = -ENOENT; | |
1008 | goto out; | |
1009 | } | |
1010 | count -= filter_off; | |
1011 | ||
1012 | filter = task->seccomp.filter; | |
1013 | while (filter && count > 1) { | |
1014 | filter = filter->prev; | |
1015 | count--; | |
1016 | } | |
1017 | ||
1018 | if (WARN_ON(count != 1 || !filter)) { | |
1019 | /* The filter tree shouldn't shrink while we're using it. */ | |
1020 | ret = -ENOENT; | |
1021 | goto out; | |
1022 | } | |
1023 | ||
1024 | fprog = filter->prog->orig_prog; | |
1025 | if (!fprog) { | |
1026 | /* This must be a new non-cBPF filter, since we save every | |
1027 | * every cBPF filter's orig_prog above when | |
1028 | * CONFIG_CHECKPOINT_RESTORE is enabled. | |
1029 | */ | |
1030 | ret = -EMEDIUMTYPE; | |
1031 | goto out; | |
1032 | } | |
1033 | ||
1034 | ret = fprog->len; | |
1035 | if (!data) | |
1036 | goto out; | |
1037 | ||
236de4e6 | 1038 | __get_seccomp_filter(filter); |
f8e529ed TA |
1039 | spin_unlock_irq(&task->sighand->siglock); |
1040 | ||
1041 | if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog))) | |
1042 | ret = -EFAULT; | |
1043 | ||
236de4e6 | 1044 | __put_seccomp_filter(filter); |
f8e529ed TA |
1045 | return ret; |
1046 | ||
1047 | out: | |
1048 | spin_unlock_irq(&task->sighand->siglock); | |
1049 | return ret; | |
1050 | } | |
1051 | #endif | |
aac883e7 TH |
1052 | |
1053 | #ifdef CONFIG_SYSCTL | |
1054 | ||
1055 | /* Human readable action names for friendly sysctl interaction */ | |
1056 | #define SECCOMP_RET_KILL_NAME "kill" | |
1057 | #define SECCOMP_RET_TRAP_NAME "trap" | |
1058 | #define SECCOMP_RET_ERRNO_NAME "errno" | |
1059 | #define SECCOMP_RET_TRACE_NAME "trace" | |
1060 | #define SECCOMP_RET_ALLOW_NAME "allow" | |
1061 | ||
1062 | static const char seccomp_actions_avail[] = SECCOMP_RET_KILL_NAME " " | |
1063 | SECCOMP_RET_TRAP_NAME " " | |
1064 | SECCOMP_RET_ERRNO_NAME " " | |
1065 | SECCOMP_RET_TRACE_NAME " " | |
1066 | SECCOMP_RET_ALLOW_NAME; | |
1067 | ||
c8a22a5f TH |
1068 | struct seccomp_log_name { |
1069 | u32 log; | |
1070 | const char *name; | |
1071 | }; | |
1072 | ||
1073 | static const struct seccomp_log_name seccomp_log_names[] = { | |
1074 | { SECCOMP_LOG_KILL, SECCOMP_RET_KILL_NAME }, | |
1075 | { SECCOMP_LOG_TRAP, SECCOMP_RET_TRAP_NAME }, | |
1076 | { SECCOMP_LOG_ERRNO, SECCOMP_RET_ERRNO_NAME }, | |
1077 | { SECCOMP_LOG_TRACE, SECCOMP_RET_TRACE_NAME }, | |
1078 | { SECCOMP_LOG_ALLOW, SECCOMP_RET_ALLOW_NAME }, | |
1079 | { } | |
1080 | }; | |
1081 | ||
1082 | static bool seccomp_names_from_actions_logged(char *names, size_t size, | |
1083 | u32 actions_logged) | |
1084 | { | |
1085 | const struct seccomp_log_name *cur; | |
1086 | bool append_space = false; | |
1087 | ||
1088 | for (cur = seccomp_log_names; cur->name && size; cur++) { | |
1089 | ssize_t ret; | |
1090 | ||
1091 | if (!(actions_logged & cur->log)) | |
1092 | continue; | |
1093 | ||
1094 | if (append_space) { | |
1095 | ret = strscpy(names, " ", size); | |
1096 | if (ret < 0) | |
1097 | return false; | |
1098 | ||
1099 | names += ret; | |
1100 | size -= ret; | |
1101 | } else | |
1102 | append_space = true; | |
1103 | ||
1104 | ret = strscpy(names, cur->name, size); | |
1105 | if (ret < 0) | |
1106 | return false; | |
1107 | ||
1108 | names += ret; | |
1109 | size -= ret; | |
1110 | } | |
1111 | ||
1112 | return true; | |
1113 | } | |
1114 | ||
1115 | static bool seccomp_action_logged_from_name(u32 *action_logged, | |
1116 | const char *name) | |
1117 | { | |
1118 | const struct seccomp_log_name *cur; | |
1119 | ||
1120 | for (cur = seccomp_log_names; cur->name; cur++) { | |
1121 | if (!strcmp(cur->name, name)) { | |
1122 | *action_logged = cur->log; | |
1123 | return true; | |
1124 | } | |
1125 | } | |
1126 | ||
1127 | return false; | |
1128 | } | |
1129 | ||
1130 | static bool seccomp_actions_logged_from_names(u32 *actions_logged, char *names) | |
1131 | { | |
1132 | char *name; | |
1133 | ||
1134 | *actions_logged = 0; | |
1135 | while ((name = strsep(&names, " ")) && *name) { | |
1136 | u32 action_logged = 0; | |
1137 | ||
1138 | if (!seccomp_action_logged_from_name(&action_logged, name)) | |
1139 | return false; | |
1140 | ||
1141 | *actions_logged |= action_logged; | |
1142 | } | |
1143 | ||
1144 | return true; | |
1145 | } | |
1146 | ||
1147 | static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write, | |
1148 | void __user *buffer, size_t *lenp, | |
1149 | loff_t *ppos) | |
1150 | { | |
1151 | char names[sizeof(seccomp_actions_avail)]; | |
1152 | struct ctl_table table; | |
1153 | int ret; | |
1154 | ||
1155 | if (write && !capable(CAP_SYS_ADMIN)) | |
1156 | return -EPERM; | |
1157 | ||
1158 | memset(names, 0, sizeof(names)); | |
1159 | ||
1160 | if (!write) { | |
1161 | if (!seccomp_names_from_actions_logged(names, sizeof(names), | |
1162 | seccomp_actions_logged)) | |
1163 | return -EINVAL; | |
1164 | } | |
1165 | ||
1166 | table = *ro_table; | |
1167 | table.data = names; | |
1168 | table.maxlen = sizeof(names); | |
1169 | ret = proc_dostring(&table, write, buffer, lenp, ppos); | |
1170 | if (ret) | |
1171 | return ret; | |
1172 | ||
1173 | if (write) { | |
1174 | u32 actions_logged; | |
1175 | ||
1176 | if (!seccomp_actions_logged_from_names(&actions_logged, | |
1177 | table.data)) | |
1178 | return -EINVAL; | |
1179 | ||
1180 | if (actions_logged & SECCOMP_LOG_ALLOW) | |
1181 | return -EINVAL; | |
1182 | ||
1183 | seccomp_actions_logged = actions_logged; | |
1184 | } | |
1185 | ||
1186 | return 0; | |
1187 | } | |
1188 | ||
aac883e7 TH |
1189 | static struct ctl_path seccomp_sysctl_path[] = { |
1190 | { .procname = "kernel", }, | |
1191 | { .procname = "seccomp", }, | |
1192 | { } | |
1193 | }; | |
1194 | ||
1195 | static struct ctl_table seccomp_sysctl_table[] = { | |
1196 | { | |
1197 | .procname = "actions_avail", | |
1198 | .data = (void *) &seccomp_actions_avail, | |
1199 | .maxlen = sizeof(seccomp_actions_avail), | |
1200 | .mode = 0444, | |
1201 | .proc_handler = proc_dostring, | |
1202 | }, | |
c8a22a5f TH |
1203 | { |
1204 | .procname = "actions_logged", | |
1205 | .mode = 0644, | |
1206 | .proc_handler = seccomp_actions_logged_handler, | |
1207 | }, | |
aac883e7 TH |
1208 | { } |
1209 | }; | |
1210 | ||
1211 | static int __init seccomp_sysctl_init(void) | |
1212 | { | |
1213 | struct ctl_table_header *hdr; | |
1214 | ||
1215 | hdr = register_sysctl_paths(seccomp_sysctl_path, seccomp_sysctl_table); | |
1216 | if (!hdr) | |
1217 | pr_warn("seccomp: sysctl registration failed\n"); | |
1218 | else | |
1219 | kmemleak_not_leak(hdr); | |
1220 | ||
1221 | return 0; | |
1222 | } | |
1223 | ||
1224 | device_initcall(seccomp_sysctl_init) | |
1225 | ||
1226 | #endif /* CONFIG_SYSCTL */ |