Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support

[PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andy Lutomirski <luto@amacapital.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Jonathan Corbet <corbet@lwn.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-11
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-16
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 05/15] seccomp: kill the seccomp_t typedef · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous. · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Eric Paris <eparis@redhat.com> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
[PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Vladimir Murzin <hidden> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Kees Cook <hidden> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · "H. Peter Anvin" <hpa@zytor.com> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Indan Zupancic <hidden> · 2012-04-08
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · James Morris <jmorris@namei.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Eric Dumazet <hidden> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Markus Gutschke <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-10
[PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-04-09

From: Will Drewry <wad@chromium.org>
Date: 2012-04-09 19:39:00
Also in: linux-arch, lkml

On Fri, Apr 6, 2012 at 4:24 PM, Andrew Morton [off-list ref] wrote:

On Thu, 29 Mar 2012 15:01:58 -0500
Will Drewry [off-list ref] wrote:

quoted

This change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP,
and a new return value for seccomp BPF programs, SECCOMP_RET_TRACE.

When a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the
tracer will be notified, via PTRACE_EVENT_SECCOMP, for any syscall that
results in a BPF program returning SECCOMP_RET_TRACE.  The 16-bit
SECCOMP_RET_DATA mask of the BPF program return value will be passed as
the ptrace_message and may be retrieved using PTRACE_GETEVENTMSG.

If the subordinate process is not using seccomp filter, then no
system call notifications will occur even if the option is specified.

If there is no tracer with PTRACE_O_TRACESECCOMP when SECCOMP_RET_TRACE
is returned, the system call will not be executed and an -ENOSYS errno
will be returned to userspace.

This change adds a dependency on the system call slow path.  Any future
efforts to use the system call fast path for seccomp filter will need to
address this restriction.


...

@@ -410,6 +411,15 @@ int __secure_computing_int(int this_syscall)

                      /* Let the filter pass back 16 bits of data. */
                      seccomp_send_sigsys(this_syscall, data);
                      goto skip;
+             case SECCOMP_RET_TRACE:
+                     /* Skip these calls if there is no tracer. */
+                     if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP))
+                             goto skip;
+                     /* Allow the BPF to provide the event message */
+                     ptrace_event(PTRACE_EVENT_SECCOMP, data);
+                     if (fatal_signal_pending(current))
+                             break;

I don't have all the patches applied here so the context is missing.
Perhaps tht would help me understand what this fatal_signal_pending()
test is doing here.  But an explanatory comment wouldn't hurt.

I'll add a comment along the lines of my answer below!

What *is* it here for, anyway?

The timely delivery of a fatal signal will silently block tracer event
notification.  By immediately terminating if a fatal signal is
pending, we avoid accidentally executing a system call that the tracer
did not approve of.

http://lxr.linux.no/linux+v3.3.1/kernel/signal.c#L1839

I can be more verbose, but hopefully that covers it well enough - thanks!

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help