[PATCH v5 3/3] arm64: Add seccomp support
Andy Lutomirski
luto at amacapital.net
Thu Jul 24 08:00:03 PDT 2014
On Jul 23, 2014 10:40 PM, "AKASHI Takahiro" <takahiro.akashi at linaro.org> wrote:
>
> On 07/24/2014 12:52 PM, Andy Lutomirski wrote:
>>
>> On 07/22/2014 02:14 AM, AKASHI Takahiro wrote:
>>>
>>> secure_computing() should always be called first in syscall_trace_enter().
>>>
>>> If secure_computing() returns -1, we should stop further handling. Then
>>> that system call may eventually fail with a specified return value (errno),
>>> be trapped or the process itself be killed depending on loaded rules.
>>> In these cases, syscall_trace_enter() also returns -1, that results in
>>> skiping a normal syscall handling as well as syscall_trace_exit().
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>>> ---
>>> arch/arm64/Kconfig | 14 ++++++++++++++
>>> arch/arm64/include/asm/seccomp.h | 25 +++++++++++++++++++++++++
>>> arch/arm64/include/asm/unistd.h | 3 +++
>>> arch/arm64/kernel/ptrace.c | 5 +++++
>>> 4 files changed, 47 insertions(+)
>>> create mode 100644 arch/arm64/include/asm/seccomp.h
>>>
>>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>>> index 3a18571..eeac003 100644
>>> --- a/arch/arm64/Kconfig
>>> +++ b/arch/arm64/Kconfig
>>> @@ -32,6 +32,7 @@ config ARM64
>>> select HAVE_ARCH_AUDITSYSCALL
>>> select HAVE_ARCH_JUMP_LABEL
>>> select HAVE_ARCH_KGDB
>>> + select HAVE_ARCH_SECCOMP_FILTER
>>> select HAVE_ARCH_TRACEHOOK
>>> select HAVE_C_RECORDMCOUNT
>>> select HAVE_DEBUG_BUGVERBOSE
>>> @@ -259,6 +260,19 @@ config ARCH_HAS_CACHE_LINE_SIZE
>>>
>>> source "mm/Kconfig"
>>>
>>> +config SECCOMP
>>> + bool "Enable seccomp to safely compute untrusted bytecode"
>>> + ---help---
>>> + This kernel feature is useful for number crunching applications
>>> + that may need to compute untrusted bytecode during their
>>> + execution. By using pipes or other transports made available to
>>> + the process as file descriptors supporting the read/write
>>> + syscalls, it's possible to isolate those applications in
>>> + their own address space using seccomp. Once seccomp is
>>> + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>>> + and the task is only allowed to execute a few safe syscalls
>>> + defined by each seccomp mode.
>>> +
>>> config XEN_DOM0
>>> def_bool y
>>> depends on XEN
>>> diff --git a/arch/arm64/include/asm/seccomp.h b/arch/arm64/include/asm/seccomp.h
>>> new file mode 100644
>>> index 0000000..c76fac9
>>> --- /dev/null
>>> +++ b/arch/arm64/include/asm/seccomp.h
>>> @@ -0,0 +1,25 @@
>>> +/*
>>> + * arch/arm64/include/asm/seccomp.h
>>> + *
>>> + * Copyright (C) 2014 Linaro Limited
>>> + * Author: AKASHI Takahiro <takahiro.akashi at linaro.org>
>>> + *
>>> + * This program is free software; you can redistribute it and/or modify
>>> + * it under the terms of the GNU General Public License version 2 as
>>> + * published by the Free Software Foundation.
>>> + */
>>> +#ifndef _ASM_SECCOMP_H
>>> +#define _ASM_SECCOMP_H
>>> +
>>> +#include <asm/unistd.h>
>>> +
>>> +#ifdef CONFIG_COMPAT
>>> +#define __NR_seccomp_read_32 __NR_compat_read
>>> +#define __NR_seccomp_write_32 __NR_compat_write
>>> +#define __NR_seccomp_exit_32 __NR_compat_exit
>>> +#define __NR_seccomp_sigreturn_32 __NR_compat_rt_sigreturn
>>> +#endif /* CONFIG_COMPAT */
>>> +
>>> +#include <asm-generic/seccomp.h>
>>> +
>>> +#endif /* _ASM_SECCOMP_H */
>>> diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
>>> index c980ab7..729c155 100644
>>> --- a/arch/arm64/include/asm/unistd.h
>>> +++ b/arch/arm64/include/asm/unistd.h
>>> @@ -31,6 +31,9 @@
>>> * Compat syscall numbers used by the AArch64 kernel.
>>> */
>>> #define __NR_compat_restart_syscall 0
>>> +#define __NR_compat_exit 1
>>> +#define __NR_compat_read 3
>>> +#define __NR_compat_write 4
>>> #define __NR_compat_sigreturn 119
>>> #define __NR_compat_rt_sigreturn 173
>>>
>>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>>> index 100d7d1..e477f6f 100644
>>> --- a/arch/arm64/kernel/ptrace.c
>>> +++ b/arch/arm64/kernel/ptrace.c
>>> @@ -28,6 +28,7 @@
>>> #include <linux/smp.h>
>>> #include <linux/ptrace.h>
>>> #include <linux/user.h>
>>> +#include <linux/seccomp.h>
>>> #include <linux/security.h>
>>> #include <linux/init.h>
>>> #include <linux/signal.h>
>>> @@ -1115,6 +1116,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>>> saved_x0 = regs->regs[0];
>>> saved_x8 = regs->regs[8];
>>>
>>> + if (secure_computing(regs->syscallno) == -1)
>>> + /* seccomp failures shouldn't expose any additional code. */
>>> + return -1;
>>> +
>>
>>
>> This will conflict with the fastpath stuff in Kees' tree. (Actually, it's likely to apply cleanly, but fail to
>> compile.) The fix is trivial, but, given that the fastpath stuff is new, can you take a look and see if arm64 can use
>> it effectively?
>
>
> I will look into the code later.
>
>
>> I suspect that the performance considerations are rather different on arm64 as compared to x86 (I really hope that x86
>> is the only architecture with the absurd sysret vs. iret distinction), but at least the seccomp_data stuff ought to help
>> anywhere. (It looks like there's a distinct fast path, too, so the two-phase thing might also be a fairly large win if
>> it's supportable.)
>>
>> See:
>>
>> https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git/log/?h=seccomp/fastpath
>>
>> Also, I'll ask the usual question? What are all of the factors other than nr and args that affect syscall execution?
>> What are the audit arch values? Do they match correctly?
>
>
> As far as I know,
>
>
>> For example, it looks like, if arm64 adds OABI support, you'll have a problem. (Note that arm currently disables audit
>> and seccomp if OABI is enabled for exactly this reason.)
>
>
> I don't think that arm64 will add OABI support in the future.
>
>
>> Do any syscall implementations care whether the user code is LE or BE? Are the arguments encoded the same way?
>
>
> when I implemented audit for arm64, the assumptions were
> * If userspace is LE, then the kernel is also LE and if BE, then the kernel is BE.
> * the syscall numbers and how arguments are encoded are the same btw BE and LE.
> So syscall_get_arch() always return the same value.
If arm64 ever adds support for mixed-endian userspace, this could
become awkward. Hmm.
IMO this matters more for seccomp than for audit. The audit code
doesn't seem to do anything terribly interesting w/ the arch field, at
least in terms of interpretation of syscall args.
>
>
>> An arm-specific question: will there be any confusion as a result of the fact that compat syscalls seems to stick nr in
>> w7, but arm64 puts them somewhere else?
>
>
> I don't know, but syscall_get_arch() returns ARCH_ARM for 32-bit tasks.
Will 32-bit tracers be compatible between arm and arm64 kernels? That
is, if a 32-bit program installs a seccomp filter with a trace action
and traces a 32-bit process, will everything work correctly? (Kees'
and Will's tests should work for this, I think.)
--Andy
More information about the linux-arm-kernel
mailing list