Re: [PATCH 3/4] sh: Add SECCOMP_FILTER

Fri, 28 Aug 2020 08:51:31 -0700 

On Thu, Jul 23, 2020 at 01:13:21AM +0200, Michael Karcher wrote:
> Port sh to use the new SECCOMP_FILTER code.
> 
> Signed-off-by: Michael Karcher <ker...@mkarcher.dialup.fu-berlin.de>
> ---
>  arch/sh/Kconfig                               | 1 +
>  arch/sh/kernel/entry-common.S                 | 2 ++
>  arch/sh/kernel/ptrace_32.c                    | 5 +++--
>  tools/testing/selftests/seccomp/seccomp_bpf.c | 8 +++++++-
>  4 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
> index 32d959849df9..10b510c16841 100644
> --- a/arch/sh/Kconfig
> +++ b/arch/sh/Kconfig
> @@ -27,6 +27,7 @@ config SUPERH
>       select GENERIC_SMP_IDLE_THREAD
>       select GUP_GET_PTE_LOW_HIGH if X2TLB
>       select HAVE_ARCH_AUDITSYSCALL
> +     select HAVE_ARCH_SECCOMP_FILTER
>       select HAVE_ARCH_KGDB
>       select HAVE_ARCH_TRACEHOOK
>       select HAVE_DEBUG_BUGVERBOSE
> diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S
> index c4d88d61890d..ad963104d22d 100644
> --- a/arch/sh/kernel/entry-common.S
> +++ b/arch/sh/kernel/entry-common.S
> @@ -368,6 +368,8 @@ syscall_trace_entry:
>       mov.l   7f, r11         ! Call do_syscall_trace_enter which notifies
>       jsr     @r11            ! superior (will chomp R[0-7])
>        nop
> +     cmp/eq  #-1, r0
> +     bt      syscall_exit
>       mov.l   r0, @(OFF_R0,r15)       ! Save return value
>       !                       Reload R0-R4 from kernel stack, where the
>       !                       parent may have modified them using
> diff --git a/arch/sh/kernel/ptrace_32.c b/arch/sh/kernel/ptrace_32.c
> index 64bfb714943e..25ccfbd02bfa 100644
> --- a/arch/sh/kernel/ptrace_32.c
> +++ b/arch/sh/kernel/ptrace_32.c
> @@ -485,8 +485,6 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs 
> *regs)
>  {
>       long ret = 0;
>  
> -     secure_computing_strict(regs->regs[0]);
> -
>       if (test_thread_flag(TIF_SYSCALL_TRACE) &&
>           tracehook_report_syscall_entry(regs))
>               /*
> @@ -496,6 +494,9 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs 
> *regs)
>                */
>               ret = -1L;
>  
> +     if (secure_computing() == -1)
> +             return -1;
> +
>       if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
>               trace_sys_enter(regs, regs->regs[0]);
>  

This patch broke strace - it spews out bogus syscalls and gets the
tracee hung. I suspect the last hunk is wrong and breaks all
non-seccomp tracing. I'll follow up with further analysis and possibly
a fix if you don't find one sooner.

Rich

Reply via email to