From patchwork Wed Nov  9 19:09:02 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 124660
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 91AE3B6F68
	for <incoming@patchwork.ozlabs.org>;
	Thu, 10 Nov 2011 06:09:26 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1RODWK-00053v-Rm; Wed, 09 Nov 2011 19:09:12 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <tim.gardner@canonical.com>) id 1RODWI-0004xb-2p
	for kernel-team@lists.ubuntu.com; Wed, 09 Nov 2011 19:09:10 +0000
Received: from [10.0.2.5] (host-174-44-187-184.hln-mt.client.bresnan.net
	[174.44.187.184])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.tpi.com (Postfix) with ESMTP id 4A10A2FA934;
	Wed,  9 Nov 2011 11:08:28 -0800 (PST)
Message-ID: <4EBACFCE.90408@canonical.com>
Date: Wed, 09 Nov 2011 12:09:02 -0700
From: Tim Gardner <tim.gardner@canonical.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: Kees Cook <keescook@chromium.org>
Subject: Re: 3.2-rc1 rebase review
References: <4EB99A68.7020105@canonical.com>
	<CAGXu5jJcAXEQEFxa2Y=Ma6b2hq+x4wghBUfc-R4_0XyJ8eWMqA@mail.gmail.com>
In-Reply-To: 
 <CAGXu5jJcAXEQEFxa2Y=Ma6b2hq+x4wghBUfc-R4_0XyJ8eWMqA@mail.gmail.com>
Cc: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

On 11/08/2011 02:35 PM, Kees Cook wrote:
> On Tue, Nov 8, 2011 at 1:08 PM, Tim Gardner<tim.gardner@canonical.com>  wrote:
>> Kees and Andy - Please check that I resolved these patch conflicts
>> correctly:
>>
>> UBUNTU: ubuntu: Yama - unconditionally chain to Yama LSM
>
> http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=commitdiff;h=336823e68877aeaea2b3ec680671612e10770616
>
> Looks correct to me. And any runs of the qrt test-kernel-hardening.py
> regression test will catch it if it's not operating correctly.
>
>> I dropped this seccomp_filter patch set for now. Kees has promised a pull
>> request.
>>
>> http://bugs.launchpad.net/bugs/887780
>
> I've got this pending in rebased-to-upstream branch here:
> https://github.com/kees/linux/commits/seccomp_filter
>
> and I updated the bug to point to that too. I can get this rebased to
> precise in a few days if no one else beats me to it first.
>
> Thanks for the heads-up!
>
> -Kees
>

Kees - here are the minimum fixes that get your bits compiling against 
v3.2-rc1. I've not incorporated any of Tetsuo's suggestions. I'll leave 
that up to you and Will.

rtg

The following changes since commit 1ea6b8f48918282bdca0b32a34095504ee65bab5:
   Linus Torvalds (1):
         Linux 3.2-rc1

are available in the git repository at:

   git://kernel.ubuntu.com/rtg/ubuntu-precise.git seccomp_filter

Tim Gardner (2):
       CHROMIUM: Fix seccomp_t compile error
       CHROMIUM: Fix kref usage

Will Drewry (5):
       CHROMIUM: seccomp_filter: new mode with configurable syscall filters
       CHROMIUM: seccomp_filter: add process state reporting
       CHROMIUM: seccomp_filter: Document what seccomp_filter is and how 
it works.
       CHROMIUM: x86: add HAVE_SECCOMP_FILTER and seccomp_execve
       CHROMIUM: arm: select HAVE_SECCOMP_FILTER

  Documentation/prctl/seccomp_filter.txt |  189 ++++++
  arch/arm/Kconfig                       |    1 +
  arch/x86/Kconfig                       |    1 +
  arch/x86/include/asm/ia32_unistd.h     |    1 +
  arch/x86/include/asm/seccomp_64.h      |    2 +
  fs/proc/base.c                         |   31 +
  include/linux/init_task.h              |   12 +
  include/linux/prctl.h                  |    7 +
  include/linux/sched.h                  |    2 +-
  include/linux/seccomp.h                |  123 ++++-
  kernel/Makefile                        |    1 +
  kernel/fork.c                          |    4 +
  kernel/seccomp.c                       |   38 +-
  kernel/seccomp_filter.c                | 1058 
++++++++++++++++++++++++++++++++
  kernel/sys.c                           |   12 +
  security/Kconfig                       |   17 +
  16 files changed, 1484 insertions(+), 15 deletions(-)
  create mode 100644 Documentation/prctl/seccomp_filter.txt
  create mode 100644 kernel/seccomp_filter.c