projects / cascardo / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7587a4f) | patch
BACKPORT: seccomp: add SECCOMP_RET_ERRNO
authorWill Drewry <wad@chromium.org>
Thu, 16 Feb 2012 02:45:54 +0000 (20:45 -0600)
committerGrant Grundler <grundler@google.com>
Thu, 24 May 2012 22:16:46 +0000 (15:16 -0700)
commit844eb5f359cae17a94b130daf05195a554e302c9
treee17e8991cbfd62713a9c09bb742ebcda7bb8f990tree | snapshot
parent7587a4f2ea52e5972cb851e5c03cb4c1f94b203dcommit | diff
BACKPORT: seccomp: add SECCOMP_RET_ERRNO

This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter.  Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno.  16-bits is more than
enough for the errno-base.h calls.

Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction.  For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos.  This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.

v18: - fix up comments and rebase
v16-v17: ...
v15: - use audit_seccomp and add a skip label. (eparis@redhat.com)
     - clean up and pad out return codes (indan@nul.nu)
v14: - no change/rebase
v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
v12: - move to WARN_ON if filter is NULL
       (oleg@redhat.com, luto@mit.edu, keescook@chromium.org)
     - return immediately for filter==NULL (keescook@chromium.org)
     - change evaluation to only compare the ACTION so that layered
       errnos don't result in the lowest one being returned.
       (keeschook@chromium.org)
v11: - check for NULL filter (keescook@chromium.org)
v10: - change loaders to fn
 v9: - n/a
 v8: - update Kconfig to note new need for syscall_set_return_value.
     - reordered such that TRAP behavior follows on later.
     - made the for loop a little less indent-y
 v7: - introduced

Change-Id: I06445655cb7df24a4e9879c4ba4052abb2d424c1
Acked-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Will Drewry <wad@chromium.org>
BUG=chromium-os:27878
TEST=none. Part of a much larger stack that really should merge together.

Change-Id: I27e4a8b79fd6883af8e0c99096060c644939055f
Reviewed-on: https://gerrit.chromium.org/gerrit/21365
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
arch/Kconfig diff | blob | history
include/linux/seccomp.h diff | blob | history
kernel/seccomp.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.