Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge tag 'seccomp-v4.16-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into fixes-v4.16-rc3

- Fix seccomp GET_METADATA to deal with field sizes correctly (Tycho Andersen)
- Add selftest to make sure GET_METADATA doesn't regress (Tycho Andersen)
James Morris 7 years ago
parent
af3e79d295 d057dc4e35
commit
645ae5c51e
3 changed files with 67 additions and 4 deletions
Split View Show Diff Stats
  1. 2 2
      include/uapi/linux/ptrace.h
  2. 4 2
      kernel/seccomp.c
  3. 61 0
      tools/testing/selftests/seccomp/seccomp_bpf.c

+ 2 - 2
include/uapi/linux/ptrace.h
View File 

@@ -69,8 +69,8 @@ struct ptrace_peeksiginfo_args {
 
 #define PTRACE_SECCOMP_GET_METADATA	0x420d
 
 
 struct seccomp_metadata {
 
-	unsigned long filter_off;	/* Input: which filter */
 
-	unsigned int flags;		/* Output: filter's flags */
 
+	__u64 filter_off;	/* Input: which filter */
 
+	__u64 flags;		/* Output: filter's flags */
 
 };
 
 
 /* Read signals from a shared (process wide) queue */

+ 4 - 2
kernel/seccomp.c
View File 

@@ -1076,14 +1076,16 @@ long seccomp_get_metadata(struct task_struct *task,
 
 
 	size = min_t(unsigned long, size, sizeof(kmd));
 
 
-	if (copy_from_user(&kmd, data, size))
 
+	if (size < sizeof(kmd.filter_off))
 
+		return -EINVAL;
 
+
 
+	if (copy_from_user(&kmd.filter_off, data, sizeof(kmd.filter_off)))
 
 		return -EFAULT;
 
 
 	filter = get_nth_filter(task, kmd.filter_off);
 
 	if (IS_ERR(filter))
 
 		return PTR_ERR(filter);
 
 
-	memset(&kmd, 0, sizeof(kmd));
 
 	if (filter->log)
 
 		kmd.flags |= SECCOMP_FILTER_FLAG_LOG;

+ 61 - 0
tools/testing/selftests/seccomp/seccomp_bpf.c
View File 

@@ -141,6 +141,15 @@ struct seccomp_data {
 
 #define SECCOMP_FILTER_FLAG_LOG 2
 
 #endif
 
 
+#ifndef PTRACE_SECCOMP_GET_METADATA
 
+#define PTRACE_SECCOMP_GET_METADATA	0x420d
 
+
 
+struct seccomp_metadata {
 
+	__u64 filter_off;       /* Input: which filter */
 
+	__u64 flags;             /* Output: filter's flags */
 
+};
 
+#endif
 
+
 
 #ifndef seccomp
 
 int seccomp(unsigned int op, unsigned int flags, void *args)
 
 {
 
@@ -2845,6 +2854,58 @@ TEST(get_action_avail)
 
 	EXPECT_EQ(errno, EOPNOTSUPP);
 
 }
 
 
+TEST(get_metadata)
 
+{
 
+	pid_t pid;
 
+	int pipefd[2];
 
+	char buf;
 
+	struct seccomp_metadata md;
 
+
 
+	ASSERT_EQ(0, pipe(pipefd));
 
+
 
+	pid = fork();
 
+	ASSERT_GE(pid, 0);
 
+	if (pid == 0) {
 
+		struct sock_filter filter[] = {
 
+			BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
 
+		};
 
+		struct sock_fprog prog = {
 
+			.len = (unsigned short)ARRAY_SIZE(filter),
 
+			.filter = filter,
 
+		};
 
+
 
+		/* one with log, one without */
 
+		ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
 
+				     SECCOMP_FILTER_FLAG_LOG, &prog));
 
+		ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
 
+
 
+		ASSERT_EQ(0, close(pipefd[0]));
 
+		ASSERT_EQ(1, write(pipefd[1], "1", 1));
 
+		ASSERT_EQ(0, close(pipefd[1]));
 
+
 
+		while (1)
 
+			sleep(100);
 
+	}
 
+
 
+	ASSERT_EQ(0, close(pipefd[1]));
 
+	ASSERT_EQ(1, read(pipefd[0], &buf, 1));
 
+
 
+	ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
 
+	ASSERT_EQ(pid, waitpid(pid, NULL, 0));
 
+
 
+	md.filter_off = 0;
 
+	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
 
+	EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
 
+	EXPECT_EQ(md.filter_off, 0);
 
+
 
+	md.filter_off = 1;
 
+	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
 
+	EXPECT_EQ(md.flags, 0);
 
+	EXPECT_EQ(md.filter_off, 1);
 
+
 
+	ASSERT_EQ(0, kill(pid, SIGKILL));
 
+}
 
+
 
 /*
 
  * TODO:
 
  * - add microbenchmarks