#
69fe8ec4 |
|
28-Feb-2024 |
Jakub Kicinski <kuba@kernel.org> |
selftests: kselftest_harness: save full exit code in metadata Instead of tracking passed = 0/1 rename the field to exit_code and invert the values so that they match the KSFT_* exit codes. This will allow us to fold SKIP / XFAIL into the same value. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
8e3c9f9f |
|
24-Jan-2024 |
Terry Tritton <terry.tritton@linaro.org> |
selftests/seccomp: user_notification_addfd check nextfd is available Currently the user_notification_addfd test checks what the next expected file descriptor will be by incrementing a variable nextfd. This does not account for file descriptors that may already be open before the test is started and will cause the test to fail if any exist. Replace nextfd++ with a function get_next_fd which will check and return the next available file descriptor. Signed-off-by: Terry Tritton <terry.tritton@linaro.org> Link: https://lore.kernel.org/r/20240124141357.1243457-4-terry.tritton@linaro.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
471dbc54 |
|
24-Jan-2024 |
Terry Tritton <terry.tritton@linaro.org> |
selftests/seccomp: Change the syscall used in KILL_THREAD test The Bionic version of pthread_create used on Android calls the prctl function to give the stack and thread local storage a useful name. This will cause the KILL_THREAD test to fail as it will kill the thread as soon as it is created. change the test to use getpid instead of prctl. Signed-off-by: Terry Tritton <terry.tritton@linaro.org> Link: https://lore.kernel.org/r/20240124141357.1243457-3-terry.tritton@linaro.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
ecaaa55c |
|
24-Jan-2024 |
Terry Tritton <terry.tritton@linaro.org> |
selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID) unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the CONFIG_PID_NS option enabled. Add a check on these calls to skip the test if we receive EINVAL. Signed-off-by: Terry Tritton <terry.tritton@linaro.org> Link: https://lore.kernel.org/r/20240124141357.1243457-2-terry.tritton@linaro.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
fbc5d382 |
|
02-Aug-2023 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Handle arm32 corner cases better It turns out arm32 doesn't handle syscall -1 gracefully, so skip testing for that. Additionally skip tests that depend on clone3 when it is not available (for example when building the seccomp selftests on an old arm image without clone3 headers). And improve error reporting for when nanosleep fails, as seen on arm32 since v5.15. Cc: Lecopzer Chen <lecopzer.chen@mediatek.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
8feae5ad |
|
08-Mar-2023 |
Andrei Vagin <avagin@google.com> |
selftest/seccomp: add a new test for the sync mode of seccomp_user_notify Test output: # RUN global.user_notification_sync ... # OK global.user_notification_sync ok 51 global.user_notification_sync Signed-off-by: Andrei Vagin <avagin@google.com> Acked-by: "Peter Zijlstra (Intel)" <peterz@infradead.org> Link: https://lore.kernel.org/r/20230308073201.3102738-6-avagin@google.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
eb4071b9 |
|
25-Feb-2023 |
Huacai Chen <chenhuacai@kernel.org> |
selftests/seccomp: Add LoongArch selftesting support BPF for LoongArch is supported now, add the selftesting support in seccomp_bpf.c. Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
|
#
be6c50d3 |
|
11-Jan-2023 |
Michael Schmitz <schmitzmic@gmail.com> |
selftests/seccomp: Add m68k support Add m68k seccomp definitions to seccomp_bpf self test code. Tested on ARAnyM. Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org> Link: https://lore.kernel.org/r/20230112035529.13521-4-schmitzmic@gmail.com Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
|
#
fc1e3980 |
|
31-Jul-2022 |
Gautam Menghani <gautammenghani201@gmail.com> |
selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid. This patch adds support to check if the calling process has the flag CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set. Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220731092529.28760-1-gautammenghani201@gmail.com
|
#
3ce4b78f |
|
26-May-2022 |
YiFei Zhu <zhuyifei@google.com> |
selftests/seccomp: Fix compile warning when CC=clang clang has -Wconstant-conversion by default, and the constant 0xAAAAAAAAA (9 As) being converted to an int, which is generally 32 bits, results in the compile warning: clang -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ -lpthread seccomp_bpf.c -lcap -o seccomp_bpf seccomp_bpf.c:812:67: warning: implicit conversion from 'long' to 'int' changes value from 45812984490 to -1431655766 [-Wconstant-conversion] int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA; ~~~~ ^~~~~~~~~~~ 1 warning generated. -1431655766 is the expected truncation, 0xAAAAAAAA (8 As), so use this directly in the code to avoid the warning. Fixes: 3932fcecd962 ("selftests/seccomp: Add test for unknown SECCOMP_RET kill behavior") Signed-off-by: YiFei Zhu <zhuyifei@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220526223407.1686936-1-zhuyifei@google.com
|
#
5e91d2a4 |
|
04-May-2022 |
Colin Ian King <colin.king@intel.com> |
selftests/seccomp: Fix spelling mistake "Coud" -> "Could" There is a spelling mistake in an error message. Fix it. Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220504155535.239180-1-colin.i.king@gmail.com
|
#
3b96a9c5 |
|
03-May-2022 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Add test for wait killable notifier This verifies that if a filter is set up with the wait killable feature that it obeys the semantics that non-fatal signals are ignored during a notification after the notification is received. Cases tested: * Non-fatal signal prior to receive * Non-fatal signal during receive * Fatal signal after receive The normal signal handling is tested in user_notification_signal. That behaviour remains unchanged. On an unsupported kernel, these tests will immediately bail as it relies on a new seccomp flag. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220503080958.20220-4-sargun@sargun.me
|
#
922a1b52 |
|
03-May-2022 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Refactor get_proc_stat to split out file reading code This splits up the get_proc_stat function to make it so we can use it as a generic helper to read the nth field from multiple different files, versus replicating the logic in multiple places. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Cc: linux-kselftest@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220503080958.20220-3-sargun@sargun.me
|
#
662340ef |
|
27-Apr-2022 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Ensure that notifications come in FIFO order When multiple notifications are waiting, ensure they show up in order, as defined by the (predictable) seccomp notification ID. This ensures FIFO ordering of notification delivery as notification ids are monitonic and decided when the notification is generated (as opposed to received). Signed-off-by: Sargun Dhillon <sargun@sargun.me> Cc: linux-kselftest@vger.kernel.org Acked-by: Tycho Andersen <tycho@tycho.pizza> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220428015447.13661-2-sargun@sargun.me
|
#
95a126d9 |
|
29-Mar-2022 |
Yang Guang <yang.guang5@zte.com.cn> |
selftests/seccomp: Add SKIP for failed unshare() Running the seccomp tests under the kernel with "defconfig" shouldn't fail. Because the CONFIG_USER_NS is not supported in "defconfig". Skipping this case instead of failing it is better. Signed-off-by: Yang Guang <yang.guang5@zte.com.cn> Signed-off-by: David Yang <davidcomponentone@gmail.com> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/7f7687696a5c0a2d040a24474616e945c7cf2bb5.1648599460.git.yang.guang5@zte.com.cn
|
#
d250a3e4 |
|
18-Mar-2022 |
Jann Horn <jannh@google.com> |
selftests/seccomp: Test PTRACE_O_SUSPEND_SECCOMP without CAP_SYS_ADMIN Add a test to check that PTRACE_O_SUSPEND_SECCOMP can't be set without CAP_SYS_ADMIN through PTRACE_SEIZE or PTRACE_SETOPTIONS. Signed-off-by: Jann Horn <jannh@google.com> Co-developed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
2bfed7d2 |
|
18-Mar-2022 |
Jann Horn <jannh@google.com> |
selftests/seccomp: Don't call read() on TTY from background pgrp Since commit 92d25637a3a4 ("kselftest: signal all child processes"), tests are executed in background process groups. This means that trying to read from stdin now throws SIGTTIN when stdin is a TTY, which breaks some seccomp selftests that try to use read(0, NULL, 0) as a dummy syscall. The simplest way to fix that is probably to just use -1 instead of 0 as the dummy read()'s FD. Fixes: 92d25637a3a4 ("kselftest: signal all child processes") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220319010011.1374622-1-jannh@google.com
|
#
1e6d69c7 |
|
03-Nov-2021 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Report event mismatches more clearly When running under tracer, more explicitly report the status and event mismatches to help with debugging. Additionally add an "immediate kill" test when under tracing to verify that fatal SIGSYS behaves the same under ptrace or seccomp tracing. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: linux-kselftest@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Link: https://lore.kernel.org/r/20211103163039.2104830-3-keescook@chromium.org
|
#
48d5fd06 |
|
03-Nov-2021 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Stop USER_NOTIF test if kcmp() fails If kcmp() fails during the USER_NOTIF test, the test is likely to hang, so switch from EXPECT to ASSERT. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: linux-kselftest@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Link: https://lore.kernel.org/r/20211103163039.2104830-2-keescook@chromium.org
|
#
3e7ed9ce |
|
25-Oct-2021 |
Ilya Leoshkevich <iii@linux.ibm.com> |
selftests/seccomp: Use __BYTE_ORDER__ Use the compiler-defined __BYTE_ORDER__ instead of the libc-defined __BYTE_ORDER for consistency. Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20211026010831.748682-6-iii@linux.ibm.com
|
#
93e720d7 |
|
26-May-2021 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: More closely track fds being assigned Since the open fds might not always start at "4" (especially when running under kselftest, etc), start counting from the first assigned fd, rather than using the more permissive EXPECT_GE(fd, 0). Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20210527032948.3730953-1-keescook@chromium.org Reviewed-by: Rodrigo Campos <rodrigo@kinvolk.io> Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
e540ad97 |
|
17-May-2021 |
Rodrigo Campos <rodrigo@kinvolk.io> |
selftests/seccomp: Add test for atomic addfd+send This just adds a test to verify that when using the new introduced flag to ADDFD, a valid fd is added and returned as the syscall result. Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io> Signed-off-by: Sargun Dhillon <sargun@sargun.me> Acked-by: Tycho Andersen <tycho@tycho.pizza> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210517193908.3113-5-sargun@sargun.me
|
#
5665bc35 |
|
20-May-2021 |
Nicholas Piggin <npiggin@gmail.com> |
powerpc/64s/syscall: Use pt_regs.trap to distinguish syscall ABI difference between sc and scv syscalls The sc and scv 0 system calls have different ABI conventions, and ptracers need to know which system call type is being used if they want to look at the syscall registers. Document that pt_regs.trap can be used for this, and fix one in-tree user to work with scv 0 syscalls. Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions") Cc: stable@vger.kernel.org # v5.9+ Reported-by: "Dmitry V. Levin" <ldv@altlinux.org> Suggested-by: "Dmitry V. Levin" <ldv@altlinux.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20210520111931.2597127-1-npiggin@gmail.com
|
#
bfe3911a |
|
05-Feb-2021 |
Chris Wilson <chris@chris-wilson.co.uk> |
kcmp: Support selection of SYS_kcmp without CHECKPOINT_RESTORE Userspace has discovered the functionality offered by SYS_kcmp and has started to depend upon it. In particular, Mesa uses SYS_kcmp for os_same_file_description() in order to identify when two fd (e.g. device or dmabuf) point to the same struct file. Since they depend on it for core functionality, lift SYS_kcmp out of the non-default CONFIG_CHECKPOINT_RESTORE into the selectable syscall category. Rasmus Villemoes also pointed out that systemd uses SYS_kcmp to deduplicate the per-service file descriptor store. Note that some distributions such as Ubuntu are already enabling CHECKPOINT_RESTORE in their configs and so, by extension, SYS_kcmp. References: https://gitlab.freedesktop.org/drm/intel/-/issues/3046 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Dave Airlie <airlied@gmail.com> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: Lucas Stach <l.stach@pengutronix.de> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Cyrill Gorcunov <gorcunov@gmail.com> Cc: stable@vger.kernel.org Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch> # DRM depends on kcmp Acked-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> # systemd uses kcmp Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210205220012.1983-1-chris@chris-wilson.co.uk
|
#
e0c0840a |
|
28-Jan-2021 |
Seth Forshee <seth.forshee@canonical.com> |
selftests/seccomp: Accept any valid fd in user_notification_addfd This test expects fds to have specific values, which works fine when the test is run standalone. However, the kselftest runner consumes a couple of extra fds for redirection when running tests, so the test fails when run via kselftest. Change the test to pass on any valid fd number. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Shuah Khan <skhan@linuxfoundation.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
4c222f31 |
|
17-Nov-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: sh: Fix register names It looks like the seccomp selftests was never actually built for sh. This fixes it, though I don't have an environment to do a runtime test of it yet. Fixes: 0bb605c2c7f2b4b3 ("sh: Add SECCOMP_FILTER") Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Link: https://lore.kernel.org/lkml/a36d7b48-6598-1642-e403-0c77a86f416d@physik.fu-berlin.de Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
f5098e34 |
|
17-Nov-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: powerpc: Fix typo in macro variable name A typo sneaked into the powerpc selftest. Fix the name so it builds again. Fixes: 46138329faea ("selftests/seccomp: powerpc: Fix seccomp return value testing") Acked-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/lkml/87y2ix2895.fsf@mpe.ellerman.id.au Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
e953aeaa |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/clone3: Avoid OS-defined clone_args As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features, named "struct __clone_args". Additionally update the struct size macro names to match UAPI names. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/lkml/20200921075432.u4gis3s2o5qrsb5g@wittgenstein/ Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
a39caac0 |
|
11-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit Some archs (like powerpc) only support changing the return code during syscall exit when ptrace is used. Test entry vs exit phases for which portions of the syscall number and return values need to be set at which different phases. For non-powerpc, all changes are made during ptrace syscall entry, as before. For powerpc, the syscall number is changed at ptrace syscall entry and the syscall return value is changed on ptrace syscall exit. Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@canonical.com/ Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole") Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/lkml/20200921075300.7iylzof2w5vrutah@wittgenstein/ Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
bef71f86 |
|
19-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Allow syscall nr and ret value to be set separately In preparation for setting syscall nr and ret values separately, refactor the helpers to take a pointer to a value, so that a NULL can indicate "do not change this respective value". This is done to keep the regset read/write happening once and in one code path. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/lkml/20200921075031.j4gruygeugkp2zwd@wittgenstein/ Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
71c87fbe |
|
19-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Record syscall during ptrace entry In preparation for performing actions during ptrace syscall exit, save the syscall number during ptrace syscall entry. Some architectures do no have the syscall number available during ptrace syscall exit. Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@canonical.com/ Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/lkml/20200921074354.6shkt2e5yhzhj3sn@wittgenstein/ Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
46138329 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: powerpc: Fix seccomp return value testing On powerpc, the errno is not inverted, and depends on ccr.so being set. Add this to a powerpc definition of SYSCALL_RET_SET(). Co-developed-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@canonical.com/ Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support") Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-13-keescook@chromium.org Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
|
#
f04cf78b |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Remove SYSCALL_NUM_RET_SHARE_REG in favor of SYSCALL_RET_SET Instead of special-casing the specific case of shared registers, create a default SYSCALL_RET_SET() macro (mirroring SYSCALL_NUM_SET()), that writes to the SYSCALL_RET register. For architectures that can't set the return value (for whatever reason), they can define SYSCALL_RET_SET() without an associated SYSCALL_RET() macro. This also paves the way for architectures that need to do special things to set the return value (e.g. powerpc). Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-12-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
e4e8e5d2 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Avoid redundant register flushes When none of the registers have changed, don't flush them back. This can happen if the architecture uses a non-register way to change the syscall (e.g. arm64) , and a return value hasn't been written. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-11-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
dc2ad165 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Convert REGSET calls into ARCH_GETREG/ARCH_SETREG Consolidate the REGSET logic into the new ARCH_GETREG() and ARCH_SETREG() macros, avoiding more #ifdef code in function bodies. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-10-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
fdbaa798 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Convert HAVE_GETREG into ARCH_GETREG/ARCH_SETREG Instead of special-casing the get/set-registers routines, move the HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-9-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
78f26627 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Remove syscall setting #ifdefs With all architectures now using the common SYSCALL_NUM_SET() macro, the arch-specific #ifdef can be removed from change_syscall() itself. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-8-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
37989de7 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: mips: Remove O32-specific macro Instead of having the mips O32 macro special-cased, pull the logic into the SYSCALL_NUM() macro. Additionally include the ABI headers, since these appear to have been missing, leaving __NR_O32_Linux undefined. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-7-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
0dd7d685 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: arm64: Define SYSCALL_NUM_SET macro Remove the arm64 special-case in change_syscall(). Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-6-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
aa8fbb80 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: arm: Define SYSCALL_NUM_SET macro Remove the arm special-case in change_syscall(). Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-5-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
a084a6cb |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: mips: Define SYSCALL_NUM_SET macro Remove the mips special-case in change_syscall(). Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-4-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
31c36eb8 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Provide generic syscall setting macro In order to avoid "#ifdef"s in the main function bodies, create a new macro, SYSCALL_NUM_SET(), where arch-specific logic can live. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-3-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
a6a4d784 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Refactor arch register macros to avoid xtensa special case To avoid an xtensa special-case, refactor all arch register macros to take the register variable instead of depending on the macro expanding as a struct member name. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-2-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
05b52c66 |
|
12-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Use __NR_mknodat instead of __NR_mknod The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat). Switch to the modern syscall. Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif") Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20200912110820.597135-16-keescook@chromium.org Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
|
#
a2304288 |
|
14-Apr-2020 |
Zou Wei <zou_wei@huawei.com> |
selftests/seccomp: Use bitwise instead of arithmetic operator for flags This silences the following coccinelle warning: "WARNING: sum of probable bitmasks, consider |" tools/testing/selftests/seccomp/seccomp_bpf.c:3131:17-18: WARNING: sum of probable bitmasks, consider | tools/testing/selftests/seccomp/seccomp_bpf.c:3133:18-19: WARNING: sum of probable bitmasks, consider | tools/testing/selftests/seccomp/seccomp_bpf.c:3134:18-19: WARNING: sum of probable bitmasks, consider | tools/testing/selftests/seccomp/seccomp_bpf.c:3135:18-19: WARNING: sum of probable bitmasks, consider | Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Zou Wei <zou_wei@huawei.com> Link: https://lore.kernel.org/r/1586924101-65940-1-git-send-email-zou_wei@huawei.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
3932fcec |
|
08-Sep-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Add test for unknown SECCOMP_RET kill behavior While we were testing for the behavior of unknown seccomp filter return values, there was no test for how it acted in a thread group. Add a test in the thread group tests for this. Reviewed-by: Shuah Khan <skhan@linuxfoundation.org> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
0bb605c2 |
|
22-Jul-2020 |
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de> |
sh: Add SECCOMP_FILTER Port sh to use the new SECCOMP_FILTER code. Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de> Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Rich Felker <dalias@libc.org>
|
#
e95a4f8c |
|
26-May-2020 |
Guo Ren <guoren@linux.alibaba.com> |
csky: Add SECCOMP_FILTER supported secure_computing() is called first in syscall_trace_enter() so that a system call will be aborted quickly without doing succeeding syscall tracing if seccomp rules want to deny that system call. TODO: - Update https://github.com/seccomp/libseccomp csky support Signed-off-by: Guo Ren <guoren@linux.alibaba.com> Cc: Arnd Bergmann <arnd@arndb.de>
|
#
768877be |
|
29-Nov-2019 |
Max Filippov <jcmvbkbc@gmail.com> |
selftests/seccomp: add xtensa support Xtensa syscall number can be obtained and changed through the struct user_pt_regs. Syscall return value register is fixed relatively to the current register window in the user_pt_regs, so it needs a bit of special treatment. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
|
#
4c6614dc |
|
05-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Check ENOSYS under tracing There should be no difference between -1 and other negative syscalls while tracing. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Will Deacon <will@kernel.org> Cc: Keno Fischer <keno@juliacomputing.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
0bf18a0c |
|
05-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Refactor to use fixture variants Now that the selftest harness has variants, use them to eliminate a bunch of copy/paste duplication. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
c97aedc5 |
|
02-Jun-2020 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Test whether we can add file descriptors in response to notifications. This injects the file descriptors via notifications, and then uses kcmp to determine whether or not it has been successful. It also includes some basic sanity checking for arguments. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Chris Palmer <palmer@google.com> Cc: Christian Brauner <christian.brauner@ubuntu.com> Cc: Jann Horn <jannh@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Robert Sesek <rsesek@google.com> Cc: Tycho Andersen <tycho@tycho.ws> Cc: Matt Denton <mpdenton@google.com> Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/20200603011044.7972-5-sargun@sargun.me Co-developed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
11eb004e |
|
04-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Check ENOSYS under tracing There should be no difference between -1 and other negative syscalls while tracing. Cc: Keno Fischer <keno@juliacomputing.com> Tested-by: Will Deacon <will@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
adeeec84 |
|
04-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Refactor to use fixture variants Now that the selftest harness has variants, use them to eliminate a bunch of copy/paste duplication. Reviewed-by: Jakub Kicinski <kuba@kernel.org> Tested-by: Will Deacon <will@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
47e33c05 |
|
15-Jun-2020 |
Kees Cook <keescook@chromium.org> |
seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID When SECCOMP_IOCTL_NOTIF_ID_VALID was first introduced it had the wrong direction flag set. While this isn't a big deal as nothing currently enforces these bits in the kernel, it should be defined correctly. Fix the define and provide support for the old command until it is no longer needed for backward compatibility. Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
279ed890 |
|
11-Jun-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Rename user_trap_syscall() to user_notif_syscall() The user_trap_syscall() helper creates a filter with SECCOMP_RET_USER_NOTIF. To avoid confusion with SECCOMP_RET_TRAP, rename the helper to user_notif_syscall(). Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Andrii Nakryiko <andriin@fb.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@chromium.org> Cc: linux-kselftest@vger.kernel.org Cc: netdev@vger.kernel.org Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
cf8918db |
|
11-Jun-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Make kcmp() less required The seccomp tests are a bit noisy without CONFIG_CHECKPOINT_RESTORE (due to missing the kcmp() syscall). The seccomp tests are more accurate with kcmp(), but it's not strictly required. Refactor the tests to use alternatives (comparing fd numbers), and provide a central test for kcmp() so there is a single SKIP instead of many. Continue to produce warnings for the other tests, though. Additionally adds some more bad flag EINVAL tests to the addfd selftest. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Andrii Nakryiko <andriin@fb.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@chromium.org> Cc: linux-kselftest@vger.kernel.org Cc: netdev@vger.kernel.org Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
d3a37ea9 |
|
01-Jun-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Expand benchmark to per-filter measurements It's useful to see how much (at a minimum) each filter adds to the syscall overhead. Add additional calculations. Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
ad568218 |
|
31-May-2020 |
Christian Brauner <christian.brauner@ubuntu.com> |
selftests/seccomp: Check for EPOLLHUP for user_notif This verifies we're correctly notified when a seccomp filter becomes unused when a notifier is in use. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20200531115031.391515-4-christian.brauner@ubuntu.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
e4d05028 |
|
10-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Set NNP for TSYNC ESRCH flag test The TSYNC ESRCH flag test will fail for regular users because NNP was not set yet. Add NNP setting. Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") Cc: stable@vger.kernel.org Reviewed-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
d7d2e5bb |
|
10-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Add SKIPs for failed unshare() Running the seccomp tests as a regular user shouldn't just fail tests that require CAP_SYS_ADMIN (for getting a PID namespace). Instead, detect those cases and SKIP them. Additionally, gracefully SKIP missing CONFIG_USER_NS (and add to "config" since we'd prefer to actually test this case). Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
8b1bc88c |
|
10-Jul-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Rename XFAIL to SKIP The kselftests will be renaming XFAIL to SKIP in the test harness, and to avoid painful conflicts, rename XFAIL to SKIP now in a future-proofed way. Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
9847d24a |
|
22-Jun-2020 |
Kees Cook <keescook@chromium.org> |
selftests/harness: Refactor XFAIL into SKIP Plumb the old XFAIL result into a TAP SKIP. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
4bae85b6 |
|
09-Mar-2020 |
Sven Schnelle <svens@linux.ibm.com> |
selftests/seccomp: s390 shares the syscall and return value register s390 cannot set syscall number and reture code at the same time, so set the appropriate flag to indicate it. Signed-off-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
|
#
d42b8dbe |
|
08-Apr-2020 |
Thadeu Lima de Souza Cascardo <cascardo@canonical.com> |
selftests/seccomp: allow clock_nanosleep instead of nanosleep glibc 2.31 calls clock_nanosleep when its nanosleep function is used. So the restart_syscall fails after that. In order to deal with it, we trace clock_nanosleep and nanosleep. Then we check for either. This works just fine on systems with both glibc 2.30 and glibc 2.31, whereas it failed before on a system with glibc 2.31. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
1ae81d78 |
|
11-Mar-2020 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Adjust test fixture counts The seccomp selftest reported the wrong test counts since it was using slightly the wrong API for defining text fixtures. Adjust the API usage. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
51891498 |
|
04-Mar-2020 |
Tycho Andersen <tycho@tycho.pizza> |
seccomp: allow TSYNC and USER_NOTIF together The restriction introduced in 7a0df7fbc145 ("seccomp: Make NEW_LISTENER and TSYNC flags exclusive") is mostly artificial: there is enough information in a seccomp user notification to tell which thread triggered a notification. The reason it was introduced is because TSYNC makes the syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and there's no way to distinguish between these two cases (well, I suppose the caller could check all fds it has, then do the syscall, and if the return value was an fd that already existed, then it must be a thread id, but bleh). Matthew would like to use these two flags together in the Chrome sandbox which wants to use TSYNC for video drivers and NEW_LISTENER to proxy syscalls. So, let's fix this ugliness by adding another flag, TSYNC_ESRCH, which tells the kernel to just return -ESRCH on a TSYNC error. This way, NEW_LISTENER (and any subsequent seccomp() commands that want to return positive values) don't conflict with each other. Suggested-by: Matthew Denton <mpdenton@google.com> Signed-off-by: Tycho Andersen <tycho@tycho.ws> Link: https://lore.kernel.org/r/20200304180517.23867-1-tycho@tycho.ws Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
e4ab5ccc |
|
30-Dec-2019 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV This adds logic to the user_notification_basic test to set a member of struct seccomp_notif to an invalid value to ensure that the kernel returns EINVAL if any of the struct seccomp_notif members are set to invalid values. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Suggested-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191230203811.4996-1-sargun@sargun.me Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
88c13f8b |
|
28-Dec-2019 |
Sargun Dhillon <sargun@sargun.me> |
selftests/seccomp: Zero out seccomp_notif The seccomp_notif structure should be zeroed out prior to calling the SECCOMP_IOCTL_NOTIF_RECV ioctl. Previously, the kernel did not check whether these structures were zeroed out or not, so these worked. This patch zeroes out the seccomp_notif data structure prior to calling the ioctl. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191229062451.9467-1-sargun@sargun.me Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
5340627e |
|
04-Oct-2019 |
David Abdurachmanov <david.abdurachmanov@sifive.com> |
riscv: add support for SECCOMP and SECCOMP_FILTER This patch was extensively tested on Fedora/RISCV (applied by default on top of 5.2-rc7 kernel for <2 months). The patch was also tested with 5.3-rc on QEMU and SiFive Unleashed board. libseccomp (userspace) was rebased: https://github.com/seccomp/libseccomp/pull/134 Fully passes libseccomp regression testing (simulation and live). There is one failing kernel selftest: global.user_notification_signal v1 -> v2: - return immediately if secure_computing(NULL) returns -1 - fixed whitespace issues - add missing seccomp.h - remove patch #2 (solved now) - add riscv to seccomp kernel selftest Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com> Cc: keescook@chromium.org Cc: me@carlosedp.com Tested-by: Carlos de Paula <me@carlosedp.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/linux-riscv/CAEn-LTp=ss0Dfv6J00=rCAy+N78U2AmhqJNjfqjr2FDpPYjxEQ@mail.gmail.com/ Link: https://lore.kernel.org/linux-riscv/CAJr-aD=UnCN9E_mdVJ2H5nt=6juRSWikZnA5HxDLQxXLbsRz-w@mail.gmail.com/ [paul.walmsley@sifive.com: cleaned up Cc: lines; fixed spelling and checkpatch issues; updated to apply] Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
|
#
2aa8d8d0 |
|
21-Oct-2019 |
Christian Brauner <christian.brauner@ubuntu.com> |
seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test The ifndef for SECCOMP_USER_NOTIF_FLAG_CONTINUE was placed under the ifndef for the SECCOMP_FILTER_FLAG_NEW_LISTENER feature. This will not work on systems that do support SECCOMP_FILTER_FLAG_NEW_LISTENER but do not support SECCOMP_USER_NOTIF_FLAG_CONTINUE. So move the latter ifndef out of the former ifndef's scope. 2019-10-20 11:14:01 make run_tests -C seccomp make: Entering directory '/usr/src/perf_selftests-x86_64-rhel-7.6-0eebfed2954f152259cae0ad57b91d3ea92968e8/tools/testing/selftests/seccomp' gcc -Wl,-no-as-needed -Wall seccomp_bpf.c -lpthread -o seccomp_bpf seccomp_bpf.c: In function ‘user_notification_continue’: seccomp_bpf.c:3562:15: error: ‘SECCOMP_USER_NOTIF_FLAG_CONTINUE’ undeclared (first use in this function) resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ seccomp_bpf.c:3562:15: note: each undeclared identifier is reported only once for each function it appears in Makefile:12: recipe for target 'seccomp_bpf' failed make: *** [seccomp_bpf] Error 1 make: Leaving directory '/usr/src/perf_selftests-x86_64-rhel-7.6-0eebfed2954f152259cae0ad57b91d3ea92968e8/tools/testing/selftests/seccomp' Reported-by: kernel test robot <rong.a.chen@intel.com> Fixes: 0eebfed2954f ("seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE") Cc: linux-kselftest@vger.kernel.org Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Link: https://lore.kernel.org/r/20191021091055.4644-1-christian.brauner@ubuntu.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
0eebfed2 |
|
20-Sep-2019 |
Christian Brauner <christian.brauner@ubuntu.com> |
seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE Test whether a syscall can be performed after having been intercepted by the seccomp notifier. The test uses dup() and kcmp() since it allows us to nicely test whether the dup() syscall actually succeeded by comparing whether the fds refer to the same underlying struct file. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Tycho Andersen <tycho@tycho.ws> CC: Tyler Hicks <tyhicks@canonical.com> Cc: stable@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: netdev@vger.kernel.org Cc: bpf@vger.kernel.org Link: https://lore.kernel.org/r/20190920083007.11475-4-christian.brauner@ubuntu.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
223e660b |
|
20-Sep-2019 |
Christian Brauner <christian.brauner@ubuntu.com> |
seccomp: avoid overflow in implicit constant conversion USER_NOTIF_MAGIC is assigned to int variables in this test so set it to INT_MAX to avoid warnings: seccomp_bpf.c: In function ‘user_notification_continue’: seccomp_bpf.c:3088:26: warning: overflow in implicit constant conversion [-Woverflow] #define USER_NOTIF_MAGIC 116983961184613L ^ seccomp_bpf.c:3572:15: note: in expansion of macro ‘USER_NOTIF_MAGIC’ resp.error = USER_NOTIF_MAGIC; ^~~~~~~~~~~~~~~~ Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Reviewed-by: Tyler Hicks <tyhicks@canonical.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Tycho Andersen <tycho@tycho.ws> Cc: stable@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: netdev@vger.kernel.org Cc: bpf@vger.kernel.org Reviewed-by: Tycho Andersen <tycho@tycho.ws> Link: https://lore.kernel.org/r/20190920083007.11475-3-christian.brauner@ubuntu.com Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
88282297 |
|
26-Aug-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests/seccomp: fix build on older kernels The seccomp selftest goes to some length to build against older kernel headers, viz. all the #ifdefs at the beginning of the file. Commit 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") introduces some additional macros, but doesn't do the #ifdef dance. Let's add that dance here to avoid: gcc -Wl,-no-as-needed -Wall seccomp_bpf.c -lpthread -o seccomp_bpf In file included from seccomp_bpf.c:51: seccomp_bpf.c: In function ‘tracer_ptrace’: seccomp_bpf.c:1787:20: error: ‘PTRACE_EVENTMSG_SYSCALL_ENTRY’ undeclared (first use in this function); did you mean ‘PTRACE_EVENT_CLONE’? EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../kselftest_harness.h:608:13: note: in definition of macro ‘__EXPECT’ __typeof__(_expected) __exp = (_expected); \ ^~~~~~~~~ seccomp_bpf.c:1787:2: note: in expansion of macro ‘EXPECT_EQ’ EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY ^~~~~~~~~ seccomp_bpf.c:1787:20: note: each undeclared identifier is reported only once for each function it appears in EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../kselftest_harness.h:608:13: note: in definition of macro ‘__EXPECT’ __typeof__(_expected) __exp = (_expected); \ ^~~~~~~~~ seccomp_bpf.c:1787:2: note: in expansion of macro ‘EXPECT_EQ’ EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY ^~~~~~~~~ seccomp_bpf.c:1788:6: error: ‘PTRACE_EVENTMSG_SYSCALL_EXIT’ undeclared (first use in this function); did you mean ‘PTRACE_EVENT_EXIT’? : PTRACE_EVENTMSG_SYSCALL_EXIT, msg); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../kselftest_harness.h:608:13: note: in definition of macro ‘__EXPECT’ __typeof__(_expected) __exp = (_expected); \ ^~~~~~~~~ seccomp_bpf.c:1787:2: note: in expansion of macro ‘EXPECT_EQ’ EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY ^~~~~~~~~ make: *** [Makefile:12: seccomp_bpf] Error 1 [skhan@linuxfoundation.org: Fix checkpatch error in commit log] Signed-off-by: Tycho Andersen <tycho@tycho.ws> Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
201766a2 |
|
16-Jul-2019 |
Elvira Khabirova <lineprinter@altlinux.org> |
ptrace: add PTRACE_GET_SYSCALL_INFO request PTRACE_GET_SYSCALL_INFO is a generic ptrace API that lets ptracer obtain details of the syscall the tracee is blocked in. There are two reasons for a special syscall-related ptrace request. Firstly, with the current ptrace API there are cases when ptracer cannot retrieve necessary information about syscalls. Some examples include: * The notorious int-0x80-from-64-bit-task issue. See [1] for details. In short, if a 64-bit task performs a syscall through int 0x80, its tracer has no reliable means to find out that the syscall was, in fact, a compat syscall, and misidentifies it. * Syscall-enter-stop and syscall-exit-stop look the same for the tracer. Common practice is to keep track of the sequence of ptrace-stops in order not to mix the two syscall-stops up. But it is not as simple as it looks; for example, strace had a (just recently fixed) long-standing bug where attaching strace to a tracee that is performing the execve system call led to the tracer identifying the following syscall-exit-stop as syscall-enter-stop, which messed up all the state tracking. * Since the introduction of commit 84d77d3f06e7 ("ptrace: Don't allow accessing an undumpable mm"), both PTRACE_PEEKDATA and process_vm_readv become unavailable when the process dumpable flag is cleared. On such architectures as ia64 this results in all syscall arguments being unavailable for the tracer. Secondly, ptracers also have to support a lot of arch-specific code for obtaining information about the tracee. For some architectures, this requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall argument and return value. ptrace(2) man page: long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); ... PTRACE_GET_SYSCALL_INFO Retrieve information about the syscall that caused the stop. The information is placed into the buffer pointed by "data" argument, which should be a pointer to a buffer of type "struct ptrace_syscall_info". The "addr" argument contains the size of the buffer pointed to by "data" argument (i.e., sizeof(struct ptrace_syscall_info)). The return value contains the number of bytes available to be written by the kernel. If the size of data to be written by the kernel exceeds the size specified by "addr" argument, the output is truncated. [ldv@altlinux.org: selftests/seccomp/seccomp_bpf: update for PTRACE_GET_SYSCALL_INFO] Link: http://lkml.kernel.org/r/20190708182904.GA12332@altlinux.org Link: http://lkml.kernel.org/r/20190510152842.GF28558@altlinux.org Signed-off-by: Elvira Khabirova <lineprinter@altlinux.org> Co-developed-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Andy Lutomirski <luto@kernel.org> Cc: Eugene Syromyatnikov <esyr@redhat.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Greentime Hu <greentime@andestech.com> Cc: Helge Deller <deller@gmx.de> [parisc] Cc: James E.J. Bottomley <jejb@parisc-linux.org> Cc: James Hogan <jhogan@kernel.org> Cc: kbuild test robot <lkp@intel.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Paul Burton <paul.burton@mips.com> Cc: Paul Mackerras <paulus@samba.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Richard Kuo <rkuo@codeaurora.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Vincent Chen <deanbo422@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
e500db3f |
|
04-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 481 Based on 1 normalized pattern(s): use of this source code is governed by the gplv2 license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.507272547@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
4ee07767 |
|
24-Apr-2019 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Prepare for exclusive seccomp flags Some seccomp flags will become exclusive, so the selftest needs to be adjusted to mask those out and test them individually for the "all flags" tests. Cc: stable@vger.kernel.org # v5.0+ Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Acked-by: James Morris <jamorris@linux.microsoft.com>
|
#
9dd3fcb0 |
|
11-Apr-2019 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Handle namespace failures gracefully When running without USERNS or PIDNS the seccomp test would hang since it was waiting forever for the child to trigger the user notification since it seems the glibc() abort handler makes a call to getpid(), which would trap again. This changes the getpid filter to getppid, and makes sure ASSERTs execute to stop from spawning the listener. Reported-by: Shuah Khan <shuah@kernel.org> Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org # > 5.0 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
|
#
ed492c2a |
|
27-Jan-2019 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Actually sleep for 1/10th second Clang noticed that some none-zero sleep()s were actually using zero anyway. This switches to nanosleep() to gain sub-second granularity. seccomp_bpf.c:2625:9: warning: implicit conversion from 'double' to 'unsigned int' changes value from 0.1 to 0 [-Wliteral-conversion] sleep(0.1); ~~~~~ ^~~ Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
30d53a58 |
|
18-Jan-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests: unshare userns in seccomp pidns testcases The pid ns cannot be unshare()d as an unprivileged user without owning the userns as well. Let's unshare the userns so that we can subsequently unshare the pidns. This also means that we don't need to set the no new privs bit as in the other test cases, since we're unsharing the userns. Signed-off-by: Tycho Andersen <tycho@tycho.ws> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
c7140706 |
|
18-Jan-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests: set NO_NEW_PRIVS bit in seccomp user tests seccomp() doesn't allow users who aren't root in their userns to attach filters unless they have the nnp bit set, so let's set it so that these tests can pass when run as an unprivileged user. This idea stolen from the other seccomp tests, which use this trick :) Signed-off-by: Tycho Andersen <tycho@tycho.ws> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
3aa415dd |
|
18-Jan-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests: skip seccomp get_metadata test if not real root The get_metadata() test requires real root, so let's skip it if we're not real root. Note that I used XFAIL here because that's what the test does later if CONFIG_CHEKCKPOINT_RESTORE happens to not be enabled. After looking at the code, there doesn't seem to be a nice way to skip tests defined as TEST(), since there's no return code (I tried exit(KSFT_SKIP), but that didn't work either...). So let's do it this way to be consistent, and easier to fix when someone comes along and fixes it. Signed-off-by: Tycho Andersen <tycho@tycho.ws> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
0b54b443 |
|
18-Jan-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests: fix typo in seccomp_bpf.c There used to be an explanation here because it could trigger lockdep previously, but now we're not doing recursive locking, so it really is just for grins. Signed-off-by: Tycho Andersen <tycho@tycho.ws> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
fb024a07 |
|
18-Jan-2019 |
Tycho Andersen <tycho@tycho.pizza> |
selftests: don't kill child immediately in get_metadata() test This this test forks a child, and then the parent waits for a write() to a pipe signalling the child is ready to be attached to. If something in the child ASSERTs before it does this write, the test will hang waiting for it. Instead, let's EXPECT, so that execution continues until we do the write. Any failure after that is fine and can ASSERT. Signed-off-by: Tycho Andersen <tycho@tycho.ws> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
ed5f1326 |
|
25-Jan-2019 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Enhance per-arch ptrace syscall skip tests Passing EPERM during syscall skipping was confusing since the test wasn't actually exercising the errno evaluation -- it was just passing a literal "1" (EPERM). Instead, expand the tests to check both direct value returns (positive, 45000 in this case), and errno values (negative, -ESRCH in this case) to check both fake success and fake failure during syscall skipping. Reported-by: Colin Ian King <colin.king@canonical.com> Fixes: a33b2d0359a0 ("selftests/seccomp: Add tests for basic ptrace actions") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
3d244c19 |
|
16-Jan-2019 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Abort without user notification support In the face of missing user notification support, the self test needs to stop executing a test (ASSERT_*) instead of just reporting and continuing (EXPECT_*). This adjusts the user notification tests to do that where needed. Reported-by: Shuah Khan <shuah@kernel.org> Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Tested-by: Shuah Khan <shuah@kernel.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
2bd61abe |
|
06-Dec-2018 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Remove SIGSTOP si_pid check Commit f149b3155744 ("signal: Never allocate siginfo for SIGKILL or SIGSTOP") means that the seccomp selftest cannot check si_pid under SIGSTOP anymore. Since it's believed[1] there are no other userspace things depending on the old behavior, this removes the behavioral check in the selftest, since it's more a "extra" sanity check (which turns out, maybe, not to have been useful to test). [1] https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com Reported-by: Tycho Andersen <tycho@tycho.ws> Suggested-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
|
#
6a21cc50 |
|
09-Dec-2018 |
Tycho Andersen <tycho@tycho.pizza> |
seccomp: add a return code to trap to userspace This patch introduces a means for syscalls matched in seccomp to notify some other task that a particular filter has been triggered. The motivation for this is primarily for use with containers. For example, if a container does an init_module(), we obviously don't want to load this untrusted code, which may be compiled for the wrong version of the kernel anyway. Instead, we could parse the module image, figure out which module the container is trying to load and load it on the host. As another example, containers cannot mount() in general since various filesystems assume a trusted image. However, if an orchestrator knows that e.g. a particular block device has not been exposed to a container for writing, it want to allow the container to mount that block device (that is, handle the mount for it). This patch adds functionality that is already possible via at least two other means that I know about, both of which involve ptrace(): first, one could ptrace attach, and then iterate through syscalls via PTRACE_SYSCALL. Unfortunately this is slow, so a faster version would be to install a filter that does SECCOMP_RET_TRACE, which triggers a PTRACE_EVENT_SECCOMP. Since ptrace allows only one tracer, if the container runtime is that tracer, users inside the container (or outside) trying to debug it will not be able to use ptrace, which is annoying. It also means that older distributions based on Upstart cannot boot inside containers using ptrace, since upstart itself uses ptrace to monitor services while starting. The actual implementation of this is fairly small, although getting the synchronization right was/is slightly complex. Finally, it's worth noting that the classic seccomp TOCTOU of reading memory data from the task still applies here, but can be avoided with careful design of the userspace handler: if the userspace handler reads all of the task memory that is necessary before applying its security policy, the tracee's subsequent memory edits will not be read by the tracer. Signed-off-by: Tycho Andersen <tycho@tycho.ws> CC: Kees Cook <keescook@chromium.org> CC: Andy Lutomirski <luto@amacapital.net> CC: Oleg Nesterov <oleg@redhat.com> CC: Eric W. Biederman <ebiederm@xmission.com> CC: "Serge E. Hallyn" <serge@hallyn.com> Acked-by: Serge Hallyn <serge@hallyn.com> CC: Christian Brauner <christian@brauner.io> CC: Tyler Hicks <tyhicks@canonical.com> CC: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
00a02d0c |
|
03-May-2018 |
Kees Cook <keescook@chromium.org> |
seccomp: Add filter flag to opt-out of SSB mitigation If a seccomp user is not interested in Speculative Store Bypass mitigation by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when adding filters. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
#
6c3b6d50 |
|
15-Mar-2018 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Allow get_metadata to XFAIL Since seccomp_get_metadata() depends on CHECKPOINT_RESTORE, XFAIL the test if the ptrace reports it as missing. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
d057dc4e |
|
20-Feb-2018 |
Tycho Andersen <tycho@tycho.pizza> |
seccomp: add a selftest for get_metadata Let's test that we get the flags correctly, and that we preserve the filter index across the ptrace(PTRACE_SECCOMP_GET_METADATA) correctly. Signed-off-by: Tycho Andersen <tycho@tycho.ws> CC: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
912ec316 |
|
05-Jan-2018 |
Anders Roxell <anders.roxell@linaro.org> |
selftests: seccomp: fix compile error seccomp_bpf aarch64-linux-gnu-gcc -Wl,-no-as-needed -Wall -lpthread seccomp_bpf.c -o seccomp_bpf seccomp_bpf.c: In function 'tracer_ptrace': seccomp_bpf.c:1720:12: error: '__NR_open' undeclared (first use in this function) if (nr == __NR_open) ^~~~~~~~~ seccomp_bpf.c:1720:12: note: each undeclared identifier is reported only once for each function it appears in In file included from seccomp_bpf.c:48:0: seccomp_bpf.c: In function 'TRACE_syscall_ptrace_syscall_dropped': seccomp_bpf.c:1795:39: error: '__NR_open' undeclared (first use in this function) EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_open)); ^ open(2) is a legacy syscall, replaced with openat(2) since 2.6.16. Thus new architectures in the kernel, such as arm64, don't implement these legacy syscalls. Fixes: a33b2d0359a0 ("selftests/seccomp: Add tests for basic ptrace actions") Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> Cc: stable@vger.kernel.org Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
10859f38 |
|
07-Sep-2017 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Support glibc 2.26 siginfo_t.h The 2.26 release of glibc changed how siginfo_t is defined, and the earlier work-around to using the kernel definition are no longer needed. The old way needs to stay around for a while, though. Reported-by: Seth Forshee <seth.forshee@canonical.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: linux-kselftest@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Tested-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
369130b6 |
|
06-Aug-2017 |
Mickaël Salaün <mic@digikod.net> |
selftests: Enhance kselftest_harness.h to print which assert failed When a test process is not able to write to TH_LOG_STREAM, this step mechanism enable to print the assert number which triggered the failure. This can be enabled by setting _metadata->no_print to true at the beginning of the test sequence. Update the seccomp-bpf test to return 0 if a test succeeded. This feature is needed for the Landlock tests. Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org> Cc: Shuah Khan <shuah@kernel.org> Cc: Will Drewry <wad@chromium.org> Link: https://lkml.kernel.org/r/CAGXu5j+D-FP8Kt9unNOqKrQJP4DYTpmgkJxWykZyrYiVPz3Y3Q@mail.gmail.com Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
f3e1821d |
|
11-Aug-2017 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Test thread vs process killing This verifies that SECCOMP_RET_KILL_PROCESS is higher priority than SECCOMP_RET_KILL_THREAD. (This also moves a bunch of defines up earlier in the file to use them earlier.) Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
#
fd76875c |
|
11-Aug-2017 |
Kees Cook <keescook@chromium.org> |
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD In preparation for adding SECCOMP_RET_KILL_PROCESS, rename SECCOMP_RET_KILL to the more accurate SECCOMP_RET_KILL_THREAD. The existing selftest values are intentionally left as SECCOMP_RET_KILL just to be sure we're exercising the alias. Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
59f5cf44 |
|
10-Aug-2017 |
Tyler Hicks <tyhicks@canonical.com> |
seccomp: Action to log before allowing Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing the syscall. At the implementation level, this action is identical to the existing SECCOMP_RET_ALLOW action. However, it can be very useful when initially developing a seccomp filter for an application. The developer can set the default action to be SECCOMP_RET_LOG, maybe mark any obviously needed syscalls with SECCOMP_RET_ALLOW, and then put the application through its paces. A list of syscalls that triggered the default action (SECCOMP_RET_LOG) can be easily gleaned from the logs and that list can be used to build the syscall whitelist. Finally, the developer can change the default action to the desired value. This provides a more friendly experience than seeing the application get killed, then updating the filter and rebuilding the app, seeing the application get killed due to a different syscall, then updating the filter and rebuilding the app, etc. The functionality is similar to what's supported by the various LSMs. SELinux has permissive mode, AppArmor has complain mode, SMACK has bring-up mode, etc. SECCOMP_RET_LOG is given a lower value than SECCOMP_RET_ALLOW as allow while logging is slightly more restrictive than quietly allowing. Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of inspecting the audit log to verify that the syscall was logged. With this patch, the logic for deciding if an action will be logged is: if action == RET_ALLOW: do not log else if action == RET_KILL && RET_KILL in actions_logged: log else if action == RET_LOG && RET_LOG in actions_logged: log else if filter-requests-logging && action in actions_logged: log else if audit_enabled && process-is-being-audited: log else: do not log Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
e66a3997 |
|
10-Aug-2017 |
Tyler Hicks <tyhicks@canonical.com> |
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW Add a new filter flag, SECCOMP_FILTER_FLAG_LOG, that enables logging for all actions except for SECCOMP_RET_ALLOW for the given filter. SECCOMP_RET_KILL actions are always logged, when "kill" is in the actions_logged sysctl, and SECCOMP_RET_ALLOW actions are never logged, regardless of this flag. This flag can be used to create noisy filters that result in all non-allowed actions to be logged. A process may have one noisy filter, which is loaded with this flag, as well as a quiet filter that's not loaded with this flag. This allows for the actions in a set of filters to be selectively conveyed to the admin. Since a system could have a large number of allocated seccomp_filter structs, struct packing was taken in consideration. On 64 bit x86, the new log member takes up one byte of an existing four byte hole in the struct. On 32 bit x86, the new log member creates a new four byte hole (unavoidable) and consumes one of those bytes. Unfortunately, the tests added for SECCOMP_FILTER_FLAG_LOG are not capable of inspecting the audit log to verify that the actions taken in the filter were logged. With this patch, the logic for deciding if an action will be logged is: if action == RET_ALLOW: do not log else if action == RET_KILL && RET_KILL in actions_logged: log else if filter-requests-logging && action in actions_logged: log else if audit_enabled && process-is-being-audited: log else: do not log Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
2b7ea5b5 |
|
10-Aug-2017 |
Tyler Hicks <tyhicks@canonical.com> |
seccomp: Selftest for detection of filter flag support Userspace needs to be able to reliably detect the support of a filter flag. A good way of doing that is by attempting to enter filter mode, with the flag bit(s) in question set, and a NULL pointer for the args parameter of seccomp(2). EFAULT indicates that the flag is valid and EINVAL indicates that the flag is invalid. This patch adds a selftest that can be used to test this method of detection in userspace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
d612b1fd |
|
10-Aug-2017 |
Tyler Hicks <tyhicks@canonical.com> |
seccomp: Operation for checking if an action is available Userspace code that needs to check if the kernel supports a given action may not be able to use the /proc/sys/kernel/seccomp/actions_avail sysctl. The process may be running in a sandbox and, therefore, sufficient filesystem access may not be available. This patch adds an operation to the seccomp(2) syscall that allows userspace code to ask the kernel if a given action is available. If the action is supported by the kernel, 0 is returned. If the action is not supported by the kernel, -1 is returned with errno set to -EOPNOTSUPP. If this check is attempted on a kernel that doesn't support this new operation, -1 is returned with errno set to -EINVAL meaning that userspace code will have the ability to differentiate between the two error cases. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Suggested-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
f3f6e306 |
|
02-Aug-2017 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Refactor RET_ERRNO tests This refactors the errno tests (since they all use the same pattern for their filter) and adds a RET_DATA field ordering test. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
#
a33b2d03 |
|
08-Aug-2016 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: Add tests for basic ptrace actions This adds tests for using only ptrace to perform syscall changes, just to validate matching behavior between seccomp events and ptrace events. Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
93bd70e3 |
|
20-Mar-2017 |
Kees Cook <keescook@chromium.org> |
seccomp: Adjust selftests to avoid double-join While glibc's pthread implementation is rather forgiving about repeat thread joining, Bionic has recently become much more strict. To deal with this, actually track which threads have been successfully joined and kill the rest at teardown. Based on a patch from Paul Lawrence. Cc: Paul Lawrence <paullawrence@google.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
34a048cc |
|
11-Jun-2017 |
Mickaël Salaün <mic@digikod.net> |
selftests: kselftest_harness: Fix compile warning Do not confuse the compiler with a semicolon preceding a block. Replace the semicolon with an empty block to avoid a warning: gcc -Wl,-no-as-needed -Wall -lpthread seccomp_bpf.c -o /.../linux/tools/testing/selftests/seccomp/seccomp_bpf In file included from seccomp_bpf.c:40:0: seccomp_bpf.c: In function ‘change_syscall’: ../kselftest_harness.h:558:2: warning: this ‘for’ clause does not guard... [-Wmisleading-indentation] for (; _metadata->trigger; _metadata->trigger = __bail(_assert)) ^ ../kselftest_harness.h:574:14: note: in expansion of macro ‘OPTIONAL_HANDLER’ } while (0); OPTIONAL_HANDLER(_assert) ^~~~~~~~~~~~~~~~ ../kselftest_harness.h:440:2: note: in expansion of macro ‘__EXPECT’ __EXPECT(expected, seen, ==, 0) ^~~~~~~~ seccomp_bpf.c:1313:2: note: in expansion of macro ‘EXPECT_EQ’ EXPECT_EQ(0, ret); ^~~~~~~~~ seccomp_bpf.c:1317:2: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘for’ { ^ Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
0b40808a |
|
26-May-2017 |
Mickaël Salaün <mic@digikod.net> |
selftests: Make test_harness.h more generally available The seccomp/test_harness.h file contains useful helpers to build tests. Moving it to the selftest directory should benefit to other test components. Keep seccomp maintainers for this file. Signed-off-by: Mickaël Salaün <mic@digikod.net> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Will Drewry <wad@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Shuah Khan <shuah@kernel.org> Link: https://lkml.kernel.org/r/CAGXu5j+8CVz8vL51DRYXqOY=xc3zuKFf=PTENe88XYHzFYidUQ@mail.gmail.com Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
58d0a862 |
|
26-May-2016 |
Kees Cook <keescook@chromium.org> |
seccomp: add tests for ptrace hole One problem with seccomp was that ptrace could be used to change a syscall after seccomp filtering had completed. This was a well documented limitation, and it was recommended to block ptrace when defining a filter to avoid this problem. This can be quite a limitation for containers or other places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@kernel.org>
|
#
64e2a42b |
|
01-Apr-2016 |
Helge Deller <deller@gmx.de> |
parisc: Add ARCH_TRACEHOOK and regset support By adding TRACEHOOK support we now get a clean user interface to access registers via PTRACE_GETREGS, PTRACE_SETREGS, PTRACE_GETFPREGS and PTRACE_SETFPREGS. The user-visible regset struct user_regs_struct and user_fp_struct are modelled similiar to x86 and can be accessed via PTRACE_GETREGSET. Signed-off-by: Helge Deller <deller@gmx.de>
|
#
0ce105bf |
|
29-Mar-2016 |
Matt Redfearn <matt.redfearn@mips.com> |
selftests/seccomp: add MIPS self-test support This adds self-test support on MIPS, based on RFC patch from Kees Cook. Modifications from the RFC: - support the O32 syscall which passes the real syscall number in a0. - Use PTRACE_{GET,SET}REGS - Because SYSCALL_NUM and SYSCALL_RET are the same register, it is not possible to test modifying the syscall return value when skipping, since both would need to set the same register. Therefore modify that test case to just detect the skipped test. Tested on MIPS32r2 / MIPS64r2 with O32, N32 and N64 userlands. Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com> Acked-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Will Drewry <wad@chromium.org> Cc: IMG-MIPSLinuxKerneldevelopers@imgtec.com Cc: linux-kernel@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/12977/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
#
505ce68c |
|
29-Mar-2016 |
Mickaël Salaün <mic@digikod.net> |
selftest/seccomp: Fix the seccomp(2) signature Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
6c045d07 |
|
29-Mar-2016 |
Mickaël Salaün <mic@digikod.net> |
selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC Rename SECCOMP_FLAG_FILTER_TSYNC to SECCOMP_FILTER_FLAG_TSYNC to match the UAPI. Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
4a0b8807 |
|
29-Dec-2015 |
Mickaël Salaün <mic@digikod.net> |
selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK Some architectures do not implement PTRACE_GETREGSET nor PTRACE_SETREGSET (required by HAVE_ARCH_TRACEHOOK) but only implement PTRACE_GETREGS and PTRACE_SETREGS (e.g. User-mode Linux). This improve seccomp selftest portability for architectures without HAVE_ARCH_TRACEHOOK support by defining a new trigger HAVE_GETREGS. For now, this is only enabled for i386 and x86_64 architectures. This is required to be able to run this tests on User-mode Linux. Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Will Drewry <wad@chromium.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Meredydd Luff <meredydd@senatehouse.org> Cc: David Drysdale <drysdale@google.com> Signed-off-by: Richard Weinberger <richard@nod.at> Acked-by: Kees Cook <keescook@chromium.org>
|
#
2ce47b44 |
|
12-Nov-2015 |
Bamvor Jian Zhang <bamvor.zhangjian@linaro.org> |
selftests/seccomp: Get page size from sysconf The commit fd88d16c58c2 ("selftests/seccomp: Be more precise with syscall arguments.") use PAGE_SIZE directly which lead to build failure on arm64. Replace it with generic interface(sysconf(_SC_PAGESIZE)) to fix this failure. Build and test successful on x86_64 and arm64. Signed-off-by: Bamvor Jian Zhang <bamvor.zhangjian@linaro.org> Acked-by: Kees Cook <keescook@chromium.org> Tested-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
fd88d16c |
|
02-Nov-2015 |
Robert Sesek <rsesek@google.com> |
selftests/seccomp: Be more precise with syscall arguments. Certain syscall emulation layers strictly check that the number of arguments match what the syscall handler expects. The KILL_one_arg_one and KILL_one_arg_six tests passed more parameters than expected to various syscalls, causing failures in this emulation mode. Instead, test using syscalls that take the appropriate number of arguments. Signed-off-by: Robert Sesek <rsesek@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
256d0afb |
|
06-Oct-2015 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: build and pass on arm64 Changing arm64 syscalls is done via a specific register set, more like s390 than like arm (specific ptrace call) and x86 (part of general registers). Since (restarting) poll doesn't exist on arm64, switch to using nanosleep for testing restart_syscall. And since it looks like the syscall ABI is inconsistent on arm-compat, so we must work around it (and document it) in the test. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
b623c4da |
|
21-Aug-2015 |
Kees Cook <keescook@chromium.org> |
selftests/seccomp: add support for s390 This adds support for s390 to the seccomp selftests. Some improvements were made to enhance the accuracy of failure reporting, and additional tests were added to validate assumptions about the currently traced syscall. Also adds early asserts for running on older kernels to avoid noise when the seccomp syscall is not implemented. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|
#
5d83c2b3 |
|
23-Jul-2015 |
Michael Ellerman <mpe@ellerman.id.au> |
selftests/seccomp: Add powerpc support Wire up the syscall number and regs so the tests work on powerpc. With the powerpc kernel support just merged, all tests pass on ppc64, ppc64 (compat), ppc64le, ppc, ppc64e and ppc64e (compat). Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
#
c385d0db |
|
23-Jul-2015 |
Michael Ellerman <mpe@ellerman.id.au> |
selftests/seccomp: Make seccomp tests work on big endian The seccomp_bpf test uses BPF_LD|BPF_W|BPF_ABS to load 32-bit values from seccomp_data->args. On big endian machines this will load the high word of the argument, which is not what the test wants. Borrow a hack from samples/seccomp/bpf-helper.h which changes the offset on big endian to account for this. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Acked-by: Kees Cook <keescook@chromium.org>
|
#
c99ee51a |
|
16-Jun-2015 |
Kees Cook <keescook@chromium.org> |
selftests: add seccomp suite This imports the existing seccomp test suite into the kernel's selftests tree. It contains extensive testing of seccomp features and corner cases. There remain additional tests to move into the kernel tree, but they have not yet been ported to all the architectures seccomp supports: https://github.com/redpig/seccomp/tree/master/tests Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
|