mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-27 20:25:09 +07:00
51891498f2
The restriction introduced in 7a0df7fbc1
("seccomp: Make NEW_LISTENER and
TSYNC flags exclusive") is mostly artificial: there is enough information
in a seccomp user notification to tell which thread triggered a
notification. The reason it was introduced is because TSYNC makes the
syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and
there's no way to distinguish between these two cases (well, I suppose the
caller could check all fds it has, then do the syscall, and if the return
value was an fd that already existed, then it must be a thread id, but
bleh).
Matthew would like to use these two flags together in the Chrome sandbox
which wants to use TSYNC for video drivers and NEW_LISTENER to proxy
syscalls.
So, let's fix this ugliness by adding another flag, TSYNC_ESRCH, which
tells the kernel to just return -ESRCH on a TSYNC error. This way,
NEW_LISTENER (and any subsequent seccomp() commands that want to return
positive values) don't conflict with each other.
Suggested-by: Matthew Denton <mpdenton@google.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Link: https://lore.kernel.org/r/20200304180517.23867-1-tycho@tycho.ws
Signed-off-by: Kees Cook <keescook@chromium.org>
128 lines
4.9 KiB
C
128 lines
4.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_LINUX_SECCOMP_H
|
|
#define _UAPI_LINUX_SECCOMP_H
|
|
|
|
#include <linux/compiler.h>
|
|
#include <linux/types.h>
|
|
|
|
|
|
/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
|
|
#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
|
|
#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
|
|
#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
|
|
|
|
/* Valid operations for seccomp syscall. */
|
|
#define SECCOMP_SET_MODE_STRICT 0
|
|
#define SECCOMP_SET_MODE_FILTER 1
|
|
#define SECCOMP_GET_ACTION_AVAIL 2
|
|
#define SECCOMP_GET_NOTIF_SIZES 3
|
|
|
|
/* Valid flags for SECCOMP_SET_MODE_FILTER */
|
|
#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
|
|
#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
|
|
#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
|
|
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
|
|
#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
|
|
|
|
/*
|
|
* All BPF programs must return a 32-bit value.
|
|
* The bottom 16-bits are for optional return data.
|
|
* The upper 16-bits are ordered from least permissive values to most,
|
|
* as a signed value (so 0x8000000 is negative).
|
|
*
|
|
* The ordering ensures that a min_t() over composed return values always
|
|
* selects the least permissive choice.
|
|
*/
|
|
#define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
|
|
#define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
|
|
#define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
|
|
#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
|
|
#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
|
|
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U /* notifies userspace */
|
|
#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
|
|
#define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
|
|
#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
|
|
|
|
/* Masks for the return value sections. */
|
|
#define SECCOMP_RET_ACTION_FULL 0xffff0000U
|
|
#define SECCOMP_RET_ACTION 0x7fff0000U
|
|
#define SECCOMP_RET_DATA 0x0000ffffU
|
|
|
|
/**
|
|
* struct seccomp_data - the format the BPF program executes over.
|
|
* @nr: the system call number
|
|
* @arch: indicates system call convention as an AUDIT_ARCH_* value
|
|
* as defined in <linux/audit.h>.
|
|
* @instruction_pointer: at the time of the system call.
|
|
* @args: up to 6 system call arguments always stored as 64-bit values
|
|
* regardless of the architecture.
|
|
*/
|
|
struct seccomp_data {
|
|
int nr;
|
|
__u32 arch;
|
|
__u64 instruction_pointer;
|
|
__u64 args[6];
|
|
};
|
|
|
|
struct seccomp_notif_sizes {
|
|
__u16 seccomp_notif;
|
|
__u16 seccomp_notif_resp;
|
|
__u16 seccomp_data;
|
|
};
|
|
|
|
struct seccomp_notif {
|
|
__u64 id;
|
|
__u32 pid;
|
|
__u32 flags;
|
|
struct seccomp_data data;
|
|
};
|
|
|
|
/*
|
|
* Valid flags for struct seccomp_notif_resp
|
|
*
|
|
* Note, the SECCOMP_USER_NOTIF_FLAG_CONTINUE flag must be used with caution!
|
|
* If set by the process supervising the syscalls of another process the
|
|
* syscall will continue. This is problematic because of an inherent TOCTOU.
|
|
* An attacker can exploit the time while the supervised process is waiting on
|
|
* a response from the supervising process to rewrite syscall arguments which
|
|
* are passed as pointers of the intercepted syscall.
|
|
* It should be absolutely clear that this means that the seccomp notifier
|
|
* _cannot_ be used to implement a security policy! It should only ever be used
|
|
* in scenarios where a more privileged process supervises the syscalls of a
|
|
* lesser privileged process to get around kernel-enforced security
|
|
* restrictions when the privileged process deems this safe. In other words,
|
|
* in order to continue a syscall the supervising process should be sure that
|
|
* another security mechanism or the kernel itself will sufficiently block
|
|
* syscalls if arguments are rewritten to something unsafe.
|
|
*
|
|
* Similar precautions should be applied when stacking SECCOMP_RET_USER_NOTIF
|
|
* or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on the
|
|
* same syscall, the most recently added filter takes precedence. This means
|
|
* that the new SECCOMP_RET_USER_NOTIF filter can override any
|
|
* SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing all
|
|
* such filtered syscalls to be executed by sending the response
|
|
* SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can equally
|
|
* be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE.
|
|
*/
|
|
#define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0)
|
|
|
|
struct seccomp_notif_resp {
|
|
__u64 id;
|
|
__s64 val;
|
|
__s32 error;
|
|
__u32 flags;
|
|
};
|
|
|
|
#define SECCOMP_IOC_MAGIC '!'
|
|
#define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
|
|
#define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
|
|
#define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
|
|
#define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
|
|
|
|
/* Flags for seccomp notification fd ioctl. */
|
|
#define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
|
|
#define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
|
|
struct seccomp_notif_resp)
|
|
#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
|
|
#endif /* _UAPI_LINUX_SECCOMP_H */
|