On Fri, Feb 24, 2012 at 7:21 PM, Will Drewry [off-list ref] wrote:

This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter.  Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno.  16-bits is more than
enough for the errno-base.h calls.

Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction.  For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos.  This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.

v11: - check for NULL filter (keescook@chromium.org)
v10: - change loaders to fn
 v9: - n/a
 v8: - update Kconfig to note new need for syscall_set_return_value.
    - reordered such that TRAP behavior follows on later.
    - made the for loop a little less indent-y
 v7: - introduced

Signed-off-by: Will Drewry <wad@chromium.org>

Reviewed-by: Kees Cook <redacted>

+       /* Ensure unexpected behavior doesn't result in failing open. */
+       if (unlikely(current->seccomp.filter == NULL))
+               ret = SECCOMP_RET_KILL;

Any reason to not just immediately return in this case?

-Kees

-- 
Kees Cook
ChromeOS Security