Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/1707754/?format=api
{ "id": 1707754, "url": "http://patchwork.ozlabs.org/api/patches/1707754/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-um/patch/20221122100759.208290-24-benjamin@sipsolutions.net/", "project": { "id": 60, "url": "http://patchwork.ozlabs.org/api/projects/60/?format=api", "name": "User-mode Linux Development", "link_name": "linux-um", "list_id": "linux-um.lists.infradead.org", "list_email": "linux-um@lists.infradead.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20221122100759.208290-24-benjamin@sipsolutions.net>", "list_archive_url": null, "date": "2022-11-22T10:07:54", "name": "[v2,23/28] um: Add stub side of SECCOMP/futex based process handling", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": false, "hash": "2ce835744bce7e13c37a17a6e86a3791ca01e81c", "submitter": { "id": 67525, "url": "http://patchwork.ozlabs.org/api/people/67525/?format=api", "name": "Benjamin Berg", "email": "benjamin@sipsolutions.net" }, "delegate": { "id": 54851, "url": "http://patchwork.ozlabs.org/api/users/54851/?format=api", "username": "rw", "first_name": "Richard", "last_name": "Weinberger", "email": "richard@nod.at" }, "mbox": "http://patchwork.ozlabs.org/project/linux-um/patch/20221122100759.208290-24-benjamin@sipsolutions.net/mbox/", "series": [ { "id": 329466, "url": "http://patchwork.ozlabs.org/api/series/329466/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-um/list/?series=329466", "date": "2022-11-22T10:07:37", "name": "Implement SECCOMP based userland", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/329466/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/1707754/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/1707754/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=<UNKNOWN>)", "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=gQ3dZa+t;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n secure) header.d=sipsolutions.net header.i=@sipsolutions.net\n header.a=rsa-sha256 header.s=mail header.b=TAi5iXb6;\n\tdkim-atps=neutral" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4NGg5l3CVGz23nn\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 22 Nov 2022 21:11:39 +1100 (AEDT)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))\n\tid 1oxQFV-007gAh-NN; Tue, 22 Nov 2022 10:11:29 +0000", "from s3.sipsolutions.net ([2a01:4f8:191:4433::2]\n helo=sipsolutions.net)\n\tby bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))\n\tid 1oxQF3-007fef-1Q\n\tfor linux-um@lists.infradead.org; Tue, 22 Nov 2022 10:11:12 +0000", "by sipsolutions.net with esmtpsa\n (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)\n\t(Exim 4.96)\n\t(envelope-from <benjamin@sipsolutions.net>)\n\tid 1oxQEt-006IGn-1y;\n\tTue, 22 Nov 2022 11:10:51 +0100" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=F1Sy3dXVydh6odnGLgWHWgFtXyh3+3bRKGM89jXFOw4=; b=gQ3dZa+t9+8D58\n\t+mfHtOHTCYc3b93VxqjQSaZucyfesfWYREcKPfNkdrAgc73hIML21ho5kcUiSFeM10IrwMT7yLO4F\n\t+GER70yGtpOlYPRLozldIHKNgfnlcFXeqUCGwzj6bIggdzFOjZzRNrTIN+nfpiri0FvoGTE5JjCYK\n\tpuz3PY9k6sNnyhqyDHZA16WD2bYbuNGfHGgmSnLKVBB/lQ2kW+gpULChtF49lIDesVEEtt8IUehDj\n\tGQzIixD3n10KAYkRXkPw19qn5quu81j4ReI+9cpQwmIUyHr58pshps29w+D3YcST2cvJ2y3NtaIW7\n\tu2Nn5Z+RfrK+Ec+aArFg==;", "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:\n\tReferences:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Content-Type:Sender\n\t:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To:\n\tResent-Cc:Resent-Message-ID; bh=wBUw3g+BEgREJ50tuzbsm0z1YB8OYVuRBcANh0RJiVs=;\n\tt=1669111860; x=1670321460; b=TAi5iXb63LkTUUeLg8rxP5f2ojHEtynpstA2ps9z7fr0W10\n\tmbyMzPCCcG8DdrwwgWQ1q9xxZmEI1HowU4R3BiDRBxxuCixUVZwe4f4SRjOtqMYQW2McFEVcE2+iS\n\t9jyfRqzo2ACDvwGuVNY6WlnhFFrII3ZX+CVpxWP0/apMI1nBpemIseW3QyhWOaJYvbhIlBn8na11h\n\tpxdLGJEZLu2XBdsUR05nIAvKLpYNSx9xd9/ry8yBzMs0SDyib9UtjCYTl2FYDjraf/hqrlVTGa5hC\n\tdHw2ZVM3qAREJPOgCrPp1cOWzpnEr/0ak5JZIHC7HRPNSUGlWqf0uG5dbPn0zwUA==;" ], "From": "benjamin@sipsolutions.net", "To": "linux-um@lists.infradead.org", "Cc": "Benjamin Berg <benjamin@sipsolutions.net>,\n\tJohannes Berg <johannes@sipsolutions.net>", "Subject": "[PATCH v2 23/28] um: Add stub side of SECCOMP/futex based process\n handling", "Date": "Tue, 22 Nov 2022 11:07:54 +0100", "Message-Id": "<20221122100759.208290-24-benjamin@sipsolutions.net>", "X-Mailer": "git-send-email 2.38.1", "In-Reply-To": "<20221122100759.208290-1-benjamin@sipsolutions.net>", "References": "<20221122100759.208290-1-benjamin@sipsolutions.net>", "MIME-Version": "1.0", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20221122_021101_393511_3C494A88 ", "X-CRM114-Status": "GOOD ( 21.63 )", "X-Spam-Score": "-0.2 (/)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Benjamin Berg <benjamin@sipsolutions.net> This adds\n the stub side for the new seccomp process management code. In this case we\n do register save/restore through the signal handler mcontext. For the\n FS_BASE/GS_BASE\n register we need special hand [...]\n Content analysis details: (-0.2 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily\n valid\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain", "X-BeenThere": "linux-um@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "<linux-um.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/linux-um>,\n <mailto:linux-um-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/linux-um/>", "List-Post": "<mailto:linux-um@lists.infradead.org>", "List-Help": "<mailto:linux-um-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/linux-um>,\n <mailto:linux-um-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"linux-um\" <linux-um-bounces@lists.infradead.org>", "Errors-To": "linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "From: Benjamin Berg <benjamin@sipsolutions.net>\n\nThis adds the stub side for the new seccomp process management code. In\nthis case we do register save/restore through the signal handler\nmcontext. For the FS_BASE/GS_BASE register we need special handling.\n\nCo-authored-by: Johannes Berg <johannes@sipsolutions.net>\nSigned-off-by: Benjamin Berg <benjamin@sipsolutions.net>\n---\n arch/um/include/shared/skas/stub-data.h | 15 +++++++\n arch/um/kernel/skas/clone.c | 24 +++++++++++\n arch/um/kernel/skas/stub.c | 54 +++++++++++++++++++++++++\n arch/x86/um/shared/sysdep/stub-data.h | 12 ++++++\n arch/x86/um/shared/sysdep/stub.h | 3 ++\n arch/x86/um/shared/sysdep/stub_32.h | 7 ++++\n arch/x86/um/shared/sysdep/stub_64.h | 14 +++++++\n 7 files changed, 129 insertions(+)\n create mode 100644 arch/x86/um/shared/sysdep/stub-data.h", "diff": "diff --git a/arch/um/include/shared/skas/stub-data.h b/arch/um/include/shared/skas/stub-data.h\nindex 821c1e98c051..6a6bc34f70c4 100644\n--- a/arch/um/include/shared/skas/stub-data.h\n+++ b/arch/um/include/shared/skas/stub-data.h\n@@ -8,8 +8,13 @@\n #ifndef __STUB_DATA_H\n #define __STUB_DATA_H\n \n+#include <linux/kconfig.h>\n #include <linux/compiler_types.h>\n #include <as-layout.h>\n+#include <sysdep/stub-data.h>\n+\n+#define FUTEX_IN_CHILD 0\n+#define FUTEX_IN_KERN 1\n \n #define STUB_NEXT_SYSCALL(s) \\\n \t((struct stub_syscall *) (((unsigned long) s) + (s)->cmd_len))\n@@ -31,6 +36,16 @@ struct stub_data {\n \t/* 128 leaves enough room for additional fields in the struct */\n \tunsigned char syscall_data[UM_KERN_PAGE_SIZE - 128] __aligned(16);\n \n+\t/* data shared with signal handler (only used in seccomp mode) */\n+\tshort restart_wait;\n+\tunsigned int futex;\n+\tint signal;\n+\tunsigned short si_offset;\n+\tunsigned short mctx_offset;\n+\n+\t/* seccomp architecture specific state restore */\n+\tstruct stub_data_arch arch_data;\n+\n \t/* Stack for our signal handlers and for calling into . */\n \tunsigned char sigstack[UM_KERN_PAGE_SIZE] __aligned(UM_KERN_PAGE_SIZE);\n };\ndiff --git a/arch/um/kernel/skas/clone.c b/arch/um/kernel/skas/clone.c\nindex 8b6ea9c00133..97728b7dd54d 100644\n--- a/arch/um/kernel/skas/clone.c\n+++ b/arch/um/kernel/skas/clone.c\n@@ -48,3 +48,27 @@ stub_clone_handler(void)\n done:\n \ttrap_myself();\n }\n+\n+#ifdef CONFIG_UML_SECCOMP\n+void __attribute__ ((__section__ (\".__syscall_stub\")))\n+stub_clone_handler_seccomp(void)\n+{\n+\tstruct stub_data *data = get_stub_page() + UM_KERN_PAGE_SIZE;\n+\tlong err;\n+\n+\t/* Use the syscall data as a temporary stack area (bottom half for clone). */\n+\terr = stub_syscall2(__NR_clone, CLONE_PARENT | CLONE_FILES | SIGCHLD,\n+\t\t\t (unsigned long) data->syscall_data +\n+\t\t\t\t\t sizeof(data->syscall_data) / 2 -\n+\t\t\t\t\t sizeof(void *));\n+\tif (err) {\n+\t\tdata->err = err;\n+\t\tgoto done;\n+\t}\n+\n+\tremap_stack_and_trap();\n+\n+ done:\n+\ttrap_myself();\n+}\n+#endif\ndiff --git a/arch/um/kernel/skas/stub.c b/arch/um/kernel/skas/stub.c\nindex 0a13f5d21d08..4bb90395a12b 100644\n--- a/arch/um/kernel/skas/stub.c\n+++ b/arch/um/kernel/skas/stub.c\n@@ -5,6 +5,11 @@\n \n #include <sysdep/stub.h>\n \n+#ifdef CONFIG_UML_SECCOMP\n+#include <linux/futex.h>\n+#include <errno.h>\n+#endif\n+\n static __always_inline int syscall_handler(struct stub_data *d)\n {\n \tstruct stub_syscall *sc;\n@@ -45,3 +50,52 @@ stub_syscall_handler(void)\n \n \ttrap_myself();\n }\n+\n+#ifdef CONFIG_UML_SECCOMP\n+void __attribute__ ((__section__ (\".__syscall_stub\")))\n+stub_signal_interrupt(int sig, siginfo_t *info, void *p)\n+{\n+\tstruct stub_data *d = get_stub_page();\n+\tucontext_t *uc = p;\n+\tlong res;\n+\n+\td->signal = sig;\n+\td->si_offset = (unsigned long)info - (unsigned long)&d->sigstack[0];\n+\td->mctx_offset = (unsigned long)&uc->uc_mcontext - (unsigned long)&d->sigstack[0];\n+\n+restart_wait:\n+\td->futex = FUTEX_IN_KERN;\n+\tdo {\n+\t\tres = stub_syscall3(__NR_futex, (unsigned long)&d->futex,\n+\t\t\t\t FUTEX_WAKE, 1);\n+\t} while (res == -EINTR);\n+\tdo {\n+\t\tres = stub_syscall4(__NR_futex, (unsigned long)&d->futex,\n+\t\t\t\t FUTEX_WAIT, FUTEX_IN_KERN, 0);\n+\t} while (res == -EINTR || d->futex == FUTEX_IN_KERN);\n+\n+\tif (res < 0 && res != -EAGAIN)\n+\t\tstub_syscall2(__NR_kill, 0, SIGKILL);\n+\n+\t/* Try running queued syscalls. */\n+\tif (syscall_handler(d) < 0 || d->restart_wait) {\n+\t\t/* Report SIGTRAP if we restart. */\n+\t\td->signal = SIGTRAP;\n+\t\td->restart_wait = 0;\n+\t\tgoto restart_wait;\n+\t}\n+\n+\t/* Return so that the host modified mcontext is restored. */\n+}\n+\n+void __attribute__ ((__section__ (\".__syscall_stub\")))\n+stub_signal_restorer(void)\n+{\n+\tstruct stub_data *d = get_stub_page();\n+\n+\t/* Restore arch dependent state that is not part of the mcontext */\n+\tstub_seccomp_restore_state(&d->arch_data);\n+\n+\tstub_syscall0(__NR_rt_sigreturn);\n+}\n+#endif\ndiff --git a/arch/x86/um/shared/sysdep/stub-data.h b/arch/x86/um/shared/sysdep/stub-data.h\nnew file mode 100644\nindex 000000000000..b0b6f2a95f0e\n--- /dev/null\n+++ b/arch/x86/um/shared/sysdep/stub-data.h\n@@ -0,0 +1,12 @@\n+/* SPDX-License-Identifier: GPL-2.0 */\n+#ifdef __i386__\n+struct stub_data_arch { };\n+#else\n+#define STUB_SYNC_FS_BASE (1 << 0)\n+#define STUB_SYNC_GS_BASE (1 << 1)\n+struct stub_data_arch {\n+\tint sync;\n+\tunsigned long fs_base;\n+\tunsigned long gs_base;\n+};\n+#endif\ndiff --git a/arch/x86/um/shared/sysdep/stub.h b/arch/x86/um/shared/sysdep/stub.h\nindex 579681d12158..eb2e3a24d40b 100644\n--- a/arch/x86/um/shared/sysdep/stub.h\n+++ b/arch/x86/um/shared/sysdep/stub.h\n@@ -14,3 +14,6 @@\n extern void stub_segv_handler(int, siginfo_t *, void *);\n extern void stub_syscall_handler(void);\n extern void stub_clone_handler(void);\n+extern void stub_signal_interrupt(int, siginfo_t *, void *);\n+extern void stub_signal_restorer(void);\n+extern void stub_clone_handler_seccomp(void);\ndiff --git a/arch/x86/um/shared/sysdep/stub_32.h b/arch/x86/um/shared/sysdep/stub_32.h\nindex 9531e52b0a3e..c8328a1949ee 100644\n--- a/arch/x86/um/shared/sysdep/stub_32.h\n+++ b/arch/x86/um/shared/sysdep/stub_32.h\n@@ -144,4 +144,11 @@ static __always_inline void *get_stub_page(void)\n \n \treturn (void *)ret;\n }\n+\n+static __always_inline void\n+stub_seccomp_restore_state(struct stub_data_arch *arch)\n+{\n+\t/* No extra arch specific restore */\n+}\n+\n #endif\ndiff --git a/arch/x86/um/shared/sysdep/stub_64.h b/arch/x86/um/shared/sysdep/stub_64.h\nindex bd2f62530bcc..99c5e54654a7 100644\n--- a/arch/x86/um/shared/sysdep/stub_64.h\n+++ b/arch/x86/um/shared/sysdep/stub_64.h\n@@ -10,6 +10,7 @@\n #include <sysdep/ptrace_user.h>\n #include <generated/asm-offsets.h>\n #include <linux/stddef.h>\n+#include <asm/prctl.h>\n \n #define STUB_MMAP_NR __NR_mmap\n #define MMAP_OFFSET(o) (o)\n@@ -140,4 +141,17 @@ static __always_inline void *get_stub_page(void)\n \n \treturn (void *)ret - UM_KERN_PAGE_SIZE;\n }\n+\n+static __always_inline void\n+stub_seccomp_restore_state(struct stub_data_arch *arch)\n+{\n+\t/* TODO: Use _writefsbase_u64/_writegsbase_u64 when possible */\n+\tif (arch->sync & STUB_SYNC_FS_BASE)\n+\t\tstub_syscall2(__NR_arch_prctl, ARCH_SET_FS, arch->fs_base);\n+\tif (arch->sync & STUB_SYNC_GS_BASE)\n+\t\tstub_syscall2(__NR_arch_prctl, ARCH_SET_GS, arch->gs_base);\n+\n+\tarch->sync = 0;\n+}\n+\n #endif\n", "prefixes": [ "v2", "23/28" ] }