, but that
doesn't need to be part of this series. :)
Acked-by: Kees Cook keesc...@chromium.org
Thanks,
-Kees
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
-off-by: Aruna Balakrishnaiah ar...@linux.vnet.ibm.com
Nice work!
Acked-by: Kees Cook keesc...@chromium.org
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
issues from v1
Yeah, this is great. While I haven't tested it myself yet, the code
seems to be in good shape. I acked the ram piece separately, but
consider the entire series:
Reviewed-by: Kees Cook keesc...@chromium.org
Thanks!
-Kees
--
Kees Cook
Chrome OS Security
default y
--
1.7.10.4
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
On Tue, Nov 4, 2014 at 11:59 AM, Leif Lindholm leif.lindh...@linaro.org wrote:
On Tue, Nov 04, 2014 at 10:43:00AM -0800, Kees Cook wrote:
diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index efefd12..39f7817 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -6,6
@@ enum pstore_type_id {
PSTORE_TYPE_FTRACE = 3,
/* PPC64 partition types */
PSTORE_TYPE_PPC_RTAS= 4,
+ PSTORE_TYPE_PPC_OF = 5,
PSTORE_TYPE_UNKNOWN = 255
};
Should this be named just PSTORE_TYPE_OF instead of ...PPC_OF?
-Kees
--
Kees
3 files changed, 313 insertions(+), 53 deletions(-)
This series looks good! Other than the naming conventions (are these
new pstore types really PPC-only?) I think it's a fine addition.
Thanks!
-Kees
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev
);
if (rc != 0) {
pr_err(nvram: kmsg_dump_register() failed; returned %d\n,
rc);
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
On Tue, Jun 25, 2013 at 12:04 AM, Aruna Balakrishnaiah
ar...@linux.vnet.ibm.com wrote:
Hi Kees,
On Monday 24 June 2013 11:27 PM, Kees Cook wrote:
On Sun, Jun 23, 2013 at 11:23 PM, Aruna Balakrishnaiah
ar...@linux.vnet.ibm.com wrote:
The patch set supports compression of oops messages
has a lot more
to do with trace event filters than the minimal old seccomp code ...
Would this require privileges to get the event fd to start with? If so,
I would prefer to avoid that, since using prctl() as shown in the patch
set won't require any privs.
-Kees
--
Kees Cook
Ubuntu Security
This makes sure format strings cannot leak into printk (the string has
already been correctly processed for format arguments).
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/powerpc/xmon/nonstdio.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/xmon
skimmed this, and it looks good to me.
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
arch/powerpc/include/asm/nvram.h| 50 ++
arch/powerpc/include/asm/rtas.h |5
arch/powerpc/kernel/nvram_64.c | 677
+++
arch/powerpc
On Tue, Mar 17, 2015 at 7:47 AM, Will Deacon will.dea...@arm.com wrote:
On Wed, Mar 04, 2015 at 09:10:47PM +, Kees Cook wrote:
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86. This additionally enables
mmap ASLR
On Mon, Mar 9, 2015 at 9:19 AM, Russell King - ARM Linux
li...@arm.linux.org.uk wrote:
On Tue, Mar 03, 2015 at 06:10:15PM -0800, Kees Cook wrote:
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already
On Wed, Mar 4, 2015 at 5:27 PM, Kees Cook keesc...@chromium.org wrote:
Most architectures don't need to do much special for the strict-mode
seccomp syscall entries. Remove the redundant headers and reduce the
others.
Signed-off-by: Kees Cook keesc...@chromium.org
Hi Andrew,
Just a quick
On Fri, Feb 27, 2015 at 5:36 PM, Stephen Rothwell s...@canb.auug.org.au wrote:
Hi Kees,
On Fri, 27 Feb 2015 16:52:29 -0800 Kees Cook keesc...@chromium.org wrote:
diff --git a/arch/arm/include/asm/seccomp.h b/arch/arm/include/asm/seccomp.h
index 52b156b341f5..66ca6a30bf5c 100644
--- a/arch
Most architectures don't need to do anything special for the strict
seccomp syscall entries. Remove the redundant headers and reduce the
others.
Signed-off-by: Kees Cook keesc...@chromium.org
---
v2:
- use Kbuild generic-y instead of explicit #include lines (sfr)
---
arch/arm/include/asm/Kbuild
On Mon, Mar 2, 2015 at 1:26 PM, Andrew Morton a...@linux-foundation.org wrote:
On Thu, 26 Feb 2015 19:07:09 -0800 Kees Cook keesc...@chromium.org wrote:
This separates ET_DYN ASLR from mmap ASLR, as already done on s390. The
various architectures that are already randomizing mmap (arm, arm64
for handling ET_DYN ASLR in a separate region from mmap ASLR,
as already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE, which
is no longer needed.
Reported-by: Hector Marco-Gisbert hecma...@upv.es
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/Kconfig| 1 -
arch/arm64
in the same ET_DYN randomization on s390. Additionally removes
a copy/pasted unused arm64 extern.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm64/include/asm/elf.h | 1 -
arch/s390/include/asm/elf.h | 9 +
arch/s390/mm/mmap.c | 11 ---
3 files changed, 5
In preparation for exporting per-arch mmap randomization functions,
this moves the ASLR calculations for mmap on ARM into a separate routine.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/mm/mmap.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
and x86), have their various forms of arch_mmap_rnd() made available
via the new
(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE
for describing this feature on architectures that support it (which is a
superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390 already does this
witout the ARCH_BINFMT_ELF_RANDOMIZE_PIE logic).
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch
-off-by: Kees Cook keesc...@chromium.org
---
arch/Kconfig | 1 +
arch/arm/include/asm/elf.h | 4
arch/arm64/include/asm/elf.h | 4
arch/mips/include/asm/elf.h| 4
arch/powerpc/include/asm/elf.h | 4
arch/s390/include/asm/elf.h| 3 ---
arch/x86
On Thu, Feb 26, 2015 at 4:11 PM, Kees Cook keesc...@chromium.org wrote:
On Thu, Feb 26, 2015 at 4:06 PM, Andrew Morton
a...@linux-foundation.org wrote:
On Thu, 26 Feb 2015 15:37:37 -0800 Kees Cook keesc...@chromium.org wrote:
Agh, no, please let's avoid the CONFIG addition
On Mon, Mar 2, 2015 at 11:31 PM, Ingo Molnar mi...@kernel.org wrote:
* Kees Cook keesc...@chromium.org wrote:
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips
On Tue, Mar 3, 2015 at 12:30 AM, Ingo Molnar mi...@kernel.org wrote:
* Kees Cook keesc...@chromium.org wrote:
Most architectures don't need to do anything special for the strict
seccomp syscall entries. Remove the redundant headers and reduce the
others.
19 files changed, 27 insertions
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86, and extracts the checking
of PF_RANDOMIZE.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/s390/mm/mmap.c | 34 +++---
1 file changed, 23
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm, and extracts the checking of
PF_RANDOMIZE.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/x86/mm/mmap.c | 36
1 file changed, 20
-off-by: Kees Cook keesc...@chromium.org
---
arch/Kconfig | 1 +
arch/arm/include/asm/elf.h | 4
arch/arm64/include/asm/elf.h | 4
arch/mips/include/asm/elf.h| 4
arch/powerpc/include/asm/elf.h | 4
arch/s390/include/asm/elf.h| 3 ---
arch/x86
(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE
for describing this feature on architectures that support it
(which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390
already supports a separated ET_DYN ASLR from mmap ASLR without the
ARCH_BINFMT_ELF_RANDOMIZE_PIE logic).
Signed-off-by: Kees
declaration of an unused function.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm64/include/asm/elf.h | 1 -
arch/arm64/mm/mmap.c | 18 +++---
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index
In preparation for splitting out ET_DYN ASLR, extract the mmap ASLR
selection into a separate function.
Signed-off-by: Kees Cook keesc...@chromium.org
---
It seems the entropy gets smaller as the PAGE_SIZE increases. Is this
intentional?
---
arch/mips/mm/mmap.c | 24
1
On Tue, Mar 3, 2015 at 8:16 PM, Michael Ellerman m...@ellerman.id.au wrote:
On Mon, 2015-03-02 at 16:19 -0800, Kees Cook wrote:
This fixes the offset2lib weakness in ASLR for arm, arm64, mips,
powerpc, and x86. The problem is that if there is a leak of ASLR from
the executable (ET_DYN
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86.
Signed-off-by: Kees Cook keesc...@chromium.org
Acked-by: Michael Ellerman m...@ellerman.id.au
---
Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs
use
In preparation for splitting out ET_DYN ASLR, this moves the ASLR calculations
for mmap on ARM into a separate routine, similar to x86. This also removes
the redundant check of personality (PF_RANDOMIZE is already set before calling
arch_pick_mmap_layout).
Signed-off-by: Kees Cook keesc
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
and x86), have their various forms of arch_mmap_rnd() made available
via the new
On Wed, Mar 4, 2015 at 1:54 PM, Ingo Molnar mi...@kernel.org wrote:
* Kees Cook keesc...@chromium.org wrote:
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips
arch_mmap_rnd() into the
ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR,
as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
which is no longer needed.
Reported-by: Hector Marco-Gisbert hecma...@upv.es
Signed-off-by: Kees Cook keesc...@chromium.org
In preparation for moving ET_DYN randomization into the ELF loader (which
requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN
randomization in a call to arch_mmap_rnd(). This refactoring results in
the same ET_DYN randomization on s390.
Signed-off-by: Kees Cook keesc
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn syscall override
is retained in 32-bit mode, and the ia32 syscall overrides are used in
the compat case. Remaining definitions were identical.
Signed-off-by: Kees Cook
Most architectures don't need to do much special for the strict-mode
seccomp syscall entries. Remove the redundant headers and reduce the
others.
Signed-off-by: Kees Cook keesc...@chromium.org
---
v3:
- split patch series by architecture
- fix up architectures that need sigreturn overrides (ingo
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn in COMPAT mode
is retained as an override. Remaining definitions are identical, though
they incorrectly appeared in uapi, which has been corrected.
Signed-off-by: Kees
Some architectures may need to override the compat sigreturn definition,
as is already possible in the non-compat case.
Signed-off-by: Kees Cook keesc...@chromium.org
---
include/asm-generic/seccomp.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/asm-generic/seccomp.h b/include
are identical.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/microblaze/include/asm/seccomp.h | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/arch/microblaze/include/asm/seccomp.h
b/arch/microblaze/include/asm/seccomp.h
index 0d912758a0d7..204618a2ce84 100644
--- a/arch
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. Definitions were identical.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/parisc/include/asm/Kbuild| 1 +
arch/parisc/include/asm/seccomp.h | 16
2 files
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. Definitions were identical.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/include/asm/Kbuild| 1 +
arch/arm/include/asm/seccomp.h | 11 ---
2 files changed, 1
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. The obsolete sigreturn in COMPAT mode
is retained as an override. Remaining definitions are identical. Also
corrected missing #define for header reinclusion protection.
Signed-off-by: Kees
Switch to using the newly created asm-generic/seccomp.h for the seccomp
strict mode syscall definitions. COMPAT definitions retain their overrides
and the remaining definitions were identical.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/mips/include/asm/seccomp.h | 7 ++-
1 file
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86.
Signed-off-by: Kees Cook keesc...@chromium.org
---
Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs
use mm-mmap_base = TASK_UNMAPPED_BASE
In preparation for splitting out ET_DYN ASLR, extract the mmap ASLR
selection into a separate function.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/mips/mm/mmap.c | 24
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/arch/mips/mm/mmap.c b/arch
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm and x86, and extracts the checking
of PF_RANDOMIZE.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/s390/mm/mmap.c | 34 +++---
1 file changed, 23
for handling ET_DYN ASLR in a separate region from mmap ASLR,
as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
which is no longer needed.
Reported-by: Hector Marco-Gisbert hecma...@upv.es
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/Kconfig| 1 -
arch/arm64
In preparation for splitting out ET_DYN ASLR, this moves the ASLR calculations
for mmap on ARM into a separate routine, similar to x86. This also removes
the redundant check of personality (PF_RANDOMIZE is already set before calling
arch_pick_mmap_layout).
Signed-off-by: Kees Cook keesc
In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm, and extracts the checking of
PF_RANDOMIZE.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/x86/mm/mmap.c | 36
1 file changed, 20
(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE
for describing this feature on architectures that support it
(which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390
already supports a separated ET_DYN ASLR from mmap ASLR without the
ARCH_BINFMT_ELF_RANDOMIZE_PIE logic).
Signed-off-by: Kees
In preparation for moving ET_DYN randomization into the ELF loader (which
requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN
randomization in a call to arch_mmap_rnd(). This refactoring results in
the same ET_DYN randomization on s390.
Signed-off-by: Kees Cook keesc
To address the offset2lib ASLR weakness[1], this separates ET_DYN
ASLR from mmap ASLR, as already done on s390. The architectures
that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
and x86), have their various forms of arch_mmap_rnd() made available
via the new
declaration of an unused function.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm64/include/asm/elf.h | 1 -
arch/arm64/mm/mmap.c | 18 +++---
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index
-off-by: Kees Cook keesc...@chromium.org
---
arch/Kconfig | 1 +
arch/arm/include/asm/elf.h | 4
arch/arm64/include/asm/elf.h | 4
arch/mips/include/asm/elf.h| 4
arch/powerpc/include/asm/elf.h | 4
arch/s390/include/asm/elf.h| 3 ---
arch/x86
Most architectures don't need to do anything special for the strict
seccomp syscall entries. Remove the redundant headers and reduce the
others.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/include/asm/seccomp.h | 12 +---
arch/microblaze/include/asm/seccomp.h
/aslrv2.html
Signed-off-by: Hector Marco-Gisbert hecma...@upv.es
Signed-off-by: Ismael Ripoll irip...@upv.es
Acked-by: Kees Cook keesc...@chromium.org
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 97d07ed..ee7ea7e 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1,7
Marinas catalin.mari...@arm.com
Cc: Hector Marco Gisbert hecma...@upv.es
Cc: Hector Marco-Gisbert hecma...@upv.es
Cc: Ingo Molnar mi...@kernel.org
Cc: Ismael Ripoll irip...@upv.es
Cc: Kees Cook keesc...@chromium.org
Cc: Ralf Baechle r...@linux-mips.org
Cc: Russell King r...@arm.linux.org.uk
Cc
This moves s390's randomize_et_dyn base into ELF_ET_DYN_BASE, and removes
an unused arm64 extern.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm64/include/asm/elf.h | 1 -
arch/s390/include/asm/elf.h | 9 +
arch/s390/mm/mmap.c | 11 ---
3 files changed, 5
This separates ET_DYN ASLR from mmap ASLR, as already done on s390. The
various architectures that are already randomizing mmap (arm, arm64, mips,
powerpc, s390, and x86), have their various forms of arch_mmap_rnd()
made available via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these
architectures,
When an architecture fully supports randomizing the ELF load location, the
arch_mmap_rnd() function becomes available. Rename and expose these functions
where they exist. Introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/Kconfig
Move logic for mmap ASLR into separate function.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/mm/mmap.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index 5e85ed371364..0f8bc158f2c6 100644
--- a/arch/arm
On architectures that define CONFIG_ARCH_HAS_ELF_RANDOMIZE, collapse the
function declarations while continuing to handle CONFIG_COMPAT_BRK.
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/Kconfig | 1 +
arch/arm/include/asm/elf.h | 4
arch/arm64/include/asm
This moves arch_mmap_rnd() into the ELF loader for handling ET_DYN ASLR
in a separate region from mmap ASLR, as already done on s390. Removes
CONFIG_BINFMT_ELF_RANDOMIZE_PIE.
Reported-by: Hector Marco-Gisbert hecma...@upv.es
Signed-off-by: Kees Cook keesc...@chromium.org
---
arch/arm/Kconfig
codify into the selftests directory? It
seems like a great thing to capture in a single place somewhere (the
register lists, that is).
-Kees
Acked-by: Michael Ellerman m...@ellerman.id.au
cheers
Thanks,
-dl
--
Kees Cook
Chrome OS Security
kernel/ptrace.c| 38 ++
16 files changed, 116 insertions(+), 363 deletions(-)
delete mode 100644 arch/sh/kernel/ptrace.c
I love the deletions:insertions ratio! :)
Reviewed-by: Kees Cook keesc...@chromium.org
I wonder why arm64 doesn't define
-by: Kees Cook keesc...@chromium.org
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/ptrace.c | 41 -
2 files changed, 41 insertions(+), 1 deletion(-)
v2: The previous version didn't compile for CONFIG_SECCOMP=n. To fix it up I
moved
...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/uapi/asm/errno.h | 2 --
arch/powerpc/kernel/entry_32.S| 3 ++-
arch/powerpc/kernel/entry_64.S| 5 +++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/include/uapi
place to update.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/asm/syscall.h | 19 ---
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h
b/arch
, which may have been
modified by seccomp, which allows seccomp to modify the first syscall
paramater and allow the syscall to proceed.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/Kconfig | 1 +
arch
though the value passed
in is already negative.
So remove the negation in syscall_set_return_value(), and expect the
caller to do it like all other implementations do.
Also add a comment about the ccr handling.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc
is seccomp filter, which we don't support
yet.
So before we enable seccomp filter, add compat handling for SIGSYS.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/asm/compat.h | 7 +++
arch/powerpc/kernel
like powerpc exposes syscall_restart? Seems like ARM remains
the odd-arch-out on this. :P)
Thanks!
-Kees
Acked-by: Kees Cook keesc...@chromium.org
Signed-off-by: Michael Ellerman m...@ellerman.id.au
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 9 -
1 file changed, 8 insertions
samples/seccomp/bpf-helper.h which changes the offset
on big endian to account for this.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Acked-by: Kees Cook keesc...@chromium.org
Thanks for fixing the error message! :)
-Kees
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 6
with TIF_NOERROR.
Although we could fix those, until it has a caller and it's clear what
semantics the caller wants it's just untested code. So drop it.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/asm
() while we're here, even though it's never
used.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/asm/syscall.h | 16 +---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc
...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/kernel/entry_32.S | 4
arch/powerpc/kernel/entry_64.S | 23 ++--
arch/powerpc/kernel/ptrace.c | 48
--
3 files changed, 58 insertions(+), 17
...@ellerman.id.au
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
---
arch/powerpc/include/asm/syscall.h | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h
b/arch/powerpc/include/asm/syscall.h
index 8d79a87c0511
(TRAP_info, info, sizeof(TRAP_info));
TRAP_nr = nr;
}
This chunk looks like left-over debugging?
-Kees
--
2.1.0
--
Kees Cook
Chrome OS Security
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo
the particular (impossible) failure condition? wut? Unknown
__BYTE_ORDER?!. Not a huge deal, but I always like verbose errors. :)
Especially for impossible situations. :)
-Kees
#define SIBLING_EXIT_UNKILLED 0xbadbeef
#define SIBLING_EXIT_FAILURE 0xbadface
--
2.1.0
--
Kees Cook
Chrome OS
On Wed, Jul 15, 2015 at 12:37 AM, Michael Ellerman m...@ellerman.id.au wrote:
Wire up the syscall number and regs so the tests work on powerpc.
Signed-off-by: Michael Ellerman m...@ellerman.id.au
Acked-by: Kees Cook keesc...@chromium.org
-Kees
---
tools/testing/selftests/seccomp
There has been a long-standing (and documented) issue with seccomp
where ptrace can be used to change a syscall out from under seccomp.
This is a problem for containers and other wider seccomp filtered
environments where ptrace needs to remain available, as it allows
for an escape of the seccomp
places where ptrace is desired even under seccomp filters.
This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Andy Lutomirski <l...@kernel.org>
---
tools/testing/selftests/seccomp/seccomp
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Ralf Baechle <r...@linux-mips.org>
Cc: "Maciej W. Rozycki" <ma...@imgtec.com>
Cc: James Hogan <james.ho...@imgtec.com>
Cc: linux-m...@li
From: Andy Lutomirski <l...@kernel.org>
I added two-phase syscall entry work back when the entry slow path
was very slow. Nowadays, the entry slow path is fast and two-phase
entry work serves no purpose. Remove it.
Signed-off-by: Andy Lutomirski <l...@kernel.org>
Signed-off-b
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Catalin Marinas <catalin.mari...@arm.com>
Cc: Will Deacon <will.dea...@arm.com>
Cc: Mark Rutland <mark.rutl...@arm.com>
Cc: linux-arm-ker...@lists
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Russell King <li...@armlinux.org.uk>
Cc: linux-arm-ker...@lists.infradead.org
---
arch/arm/kernel/ptrace.c | 11 ++-
1 file changed, 6 insertions(+),
When RET_TRACE triggers, a tracer may change a syscall into something that
should be filtered by seccomp. This re-runs seccomp after a trace event
to make sure things continue to pass.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Andy Lutomirski <l...@kernel.org>
---
kern
Since nothing is using the 2-phase API, and it adds more complexity than
benefit, remove it.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Andy Lutomirski <l...@kernel.org>
---
include/linux/seccomp.h | 6 ---
kernel/seccomp.c
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: "James E.J. Bottomley" <j...@parisc-linux.org>
Cc: Helge Deller <del...@gmx.de>
Cc: linux-par...@vger.kernel.org
---
arch/parisc/kernel/pt
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Heiko Carstens <heiko.carst...@de.ibm.com>
Cc: Martin Schwidefsky <schwidef...@de.ibm.com>
Cc: linux-s...@vger.kernel.org
---
arch/s390/ke
linux-a...@vger.kernel.org
Signed-off-by: Andy Lutomirski <l...@kernel.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/arm/kernel/ptrace.c | 2 +-
arch/arm64/kernel/ptrace.c| 2 +-
arch/mips/kernel/ptrace.c | 2 +-
arch/parisc/kernel/ptra
Lutomirski <l...@kernel.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: x...@kernel.org
Cc: Andy Lutomirski <l...@kernel.org>
---
arch/x86/entry/common.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/arch/x86/entry/common.
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Michael Ellerman <m...@ellerman.id.au>
Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Cc: Paul Mackerras <pau...@samba.org>
Cc: linux
Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Jeff Dike <jd...@addtoit.com>
Cc: Richard Weinberger <rich...@nod.at>
Cc: user-mode-linux-de...@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.
1 - 100 of 739 matches
Mail list logo