[PATCH 0/7] um: skas: harden the seccomp userspace stub
Cong Wang
xiyou.wangcong at gmail.com
Fri Jun 19 20:22:17 PDT 2026
From: Cong Wang <cwang at multikernel.io>
In the seccomp ("SECCOMP") userspace mode, each guest userspace process
runs in a stub under a seccomp filter and traps to the monitor (the UML
kernel) on every syscall. Two items on the stub.c "Known security issues"
list could not be addressed by the filter alone:
- a hijacked stub could mmap() arbitrary physmem offsets, which is an
intra-guest disclosure and, on this base (single physmem fd, no
kernel/user split), a host escape; and
- a hijacked stub could block SIGALRM via a crafted rt_sigreturn to
evade preemption and wedge the monitor indefinitely.
This series closes both:
1-2: route the stub's mmap() through a SECCOMP_RET_USER_NOTIF listener
owned by the monitor (no behavioural change yet).
3-4: validate each mmap() against the mm's page table -- allowed iff the
PTE already maps the requested frame with no more access than it
grants -- including out-of-batch mmaps a hijacked stub issues on
its own.
5: route and validate munmap() the same way (range-confined below
STUB_START).
6: add a watchdog thread that detects a stub which stops reporting
back (e.g. blocked SIGALRM) and SIGKILLs it, letting the monitor
recover via the existing teardown.
7: drop the now-resolved "Known security issues" note and refresh the
seccomp= help text.
After the series a hijacked stub is confined to the frames its own page
tables reference and can no longer reach arbitrary guest/host memory; one
that evades preemption is detected out of band and killed rather than
wedging the monitor.
Verified on UML (UP and 2-CPU SMP): boots and survives fork/exec storms
and heavy mmap/munmap churn with zero false denials or false kills; an
artificially SIGALRM-blocked busy loop is killed in ~5s and the monitor
recovers, while syscall-making processes are untouched. Each patch builds
and the series is bisectable.
---
Cong Wang (7):
um: skas: create a seccomp USER_NOTIF listener and hand it to the
monitor
um: skas: gate stub mmap() through the USER_NOTIF monitor
um: skas: validate stub mmap() against the guest page table
um: skas: handle out-of-batch stub mmap notifications
um: skas: validate stub munmap() against the guest address range
um: skas: kill stubs that block SIGALRM via a watchdog thread
um: skas: refresh stub security notes after closing the known issues
arch/um/include/shared/skas/mm_id.h | 1 +
arch/um/include/shared/skas/skas.h | 5 +
arch/um/kernel/skas/stub.c | 22 --
arch/um/kernel/skas/stub_exe.c | 19 +-
arch/um/kernel/skas/uaccess.c | 48 +++++
arch/um/os-Linux/skas/process.c | 315 ++++++++++++++++++++++++----
arch/um/os-Linux/start_up.c | 6 -
7 files changed, 344 insertions(+), 72 deletions(-)
base-commit: 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1
--
2.43.0
More information about the linux-um
mailing list