From patchwork Thu Aug 4 06:53:27 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 108350 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 5819FB6F70 for ; Thu, 4 Aug 2011 16:53:47 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QoroD-0000Pk-2P; Thu, 04 Aug 2011 06:53:33 +0000 Received: from smtp.outflux.net ([198.145.64.163]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QoroA-0000Pd-Aq for kernel-team@lists.ubuntu.com; Thu, 04 Aug 2011 06:53:30 +0000 Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu1) with ESMTP id p746rR4k008973; Wed, 3 Aug 2011 23:53:28 -0700 Date: Wed, 3 Aug 2011 23:53:27 -0700 From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [Oneiric][pull request] SECCOMP syscall filtering Message-ID: <20110804065327.GW5255@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Ubuntu X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 Cc: Will Drewry X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit 12bf0a5416335a051be56978f8f87a2eaec143b2: UBUNTU: Ubuntu-3.0.0-7.9 (2011-07-29 08:51:10 -0700) are available in the git repository at: git://kernel.ubuntu.com/kees/ubuntu-oneiric.git master Kees Cook (1): UBUNTU: [Config] enable SECCOMP_FILTER for x86 and arm Will Drewry (5): UBUNTU: SAUCE: CHROMIUM: seccomp_filter: new mode with configurable syscall filters UBUNTU: SAUCE: CHROMIUM: seccomp_filter: add process state reporting UBUNTU: SAUCE: CHROMIUM: seccomp_filter: Document what seccomp_filter is and how it works. UBUNTU: SAUCE: CHROMIUM: x86: add HAVE_SECCOMP_FILTER and seccomp_execve UBUNTU: SAUCE: CHROMIUM: arm: select HAVE_SECCOMP_FILTER Documentation/prctl/seccomp_filter.txt | 189 +++++ arch/arm/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/include/asm/ia32_unistd.h | 1 + arch/x86/include/asm/seccomp_64.h | 2 + debian.master/config/config.common.ubuntu | 2 + fs/proc/base.c | 31 + include/linux/init_task.h | 12 + include/linux/prctl.h | 7 + include/linux/sched.h | 2 +- include/linux/seccomp.h | 119 ++++- kernel/Makefile | 1 + kernel/fork.c | 4 + kernel/seccomp.c | 38 +- kernel/seccomp_filter.c | 1058 +++++++++++++++++++++++++++++ kernel/sys.c | 12 + security/Kconfig | 17 + 17 files changed, 1484 insertions(+), 13 deletions(-) create mode 100644 Documentation/prctl/seccomp_filter.txt create mode 100644 kernel/seccomp_filter.c This is the "seccomp syscall filtering" subsystem that is expected to be used by Chromium, vsftpd, openssh, qemu, lxc, and others[1]. It has been stalled getting into mainline, but is a welcome new programmatic opt-in security hardening feature. Note, I have not build tested this myself yet, as tangerine's host key has changed and I'm travelling for a conference. I wanted to get eyes on it ASAP since feature freeze is next week. Thanks! -Kees [1] http://lwn.net/Articles/450291/