Re: [PATCH v2 0/3] Nvram-to-pstore: compression support for oops data

, but that doesn't need to be part of this series. :) Acked-by: Kees Cook keesc...@chromium.org Thanks, -Kees -- Kees Cook Chrome OS Security ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [RFC PATCH v2 11/11] pstore/ram: Read and write to the 'compressed' flag of pstore

-off-by: Aruna Balakrishnaiah ar...@linux.vnet.ibm.com Nice work! Acked-by: Kees Cook keesc...@chromium.org -- Kees Cook Chrome OS Security ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [RFC PATCH v2 00/11] Add (de)compression support to pstore

issues from v1 Yeah, this is great. While I haven't tested it myself yet, the code seems to be in good shape. I acked the ram piece separately, but consider the entire series: Reviewed-by: Kees Cook keesc...@chromium.org Thanks! -Kees -- Kees Cook Chrome OS Security

Re: [RFC PATCH] make CONFIG_STRICT_DEVMEM a core non-debug feature

default y -- 1.7.10.4 -- Kees Cook Chrome OS Security ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [RFC PATCH] make CONFIG_STRICT_DEVMEM a core non-debug feature

On Tue, Nov 4, 2014 at 11:59 AM, Leif Lindholm leif.lindh...@linaro.org wrote: On Tue, Nov 04, 2014 at 10:43:00AM -0800, Kees Cook wrote: diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig index efefd12..39f7817 100644 --- a/drivers/char/Kconfig +++ b/drivers/char/Kconfig @@ -6,6

Re: [PATCH v2 7/8] powerpc/pseries: Read of-config partition via pstore

@@ enum pstore_type_id { PSTORE_TYPE_FTRACE = 3, /* PPC64 partition types */ PSTORE_TYPE_PPC_RTAS= 4, + PSTORE_TYPE_PPC_OF = 5, PSTORE_TYPE_UNKNOWN = 255 }; Should this be named just PSTORE_TYPE_OF instead of ...PPC_OF? -Kees -- Kees

Re: [PATCH v2 0/8] powerpc/pseries: Nvram-to-pstore

3 files changed, 313 insertions(+), 53 deletions(-) This series looks good! Other than the naming conventions (are these new pstore types really PPC-only?) I think it's a fine addition. Thanks! -Kees -- Kees Cook Chrome OS Security ___ Linuxppc-dev

Re: [PATCH 3/3] powerpc/pseries: Support compression of oops text via pstore

); if (rc != 0) { pr_err(nvram: kmsg_dump_register() failed; returned %d\n, rc); -- Kees Cook Chrome OS Security ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [PATCH 3/3] powerpc/pseries: Support compression of oops text via pstore

On Tue, Jun 25, 2013 at 12:04 AM, Aruna Balakrishnaiah ar...@linux.vnet.ibm.com wrote: Hi Kees, On Monday 24 June 2013 11:27 PM, Kees Cook wrote: On Sun, Jun 23, 2013 at 11:23 PM, Aruna Balakrishnaiah ar...@linux.vnet.ibm.com wrote: The patch set supports compression of oops messages

Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering

has a lot more to do with trace event filters than the minimal old seccomp code ... Would this require privileges to get the event fd to start with? If so, I would prefer to avoid that, since using prctl() as shown in the patch set won't require any privs. -Kees -- Kees Cook Ubuntu Security

[PATCH] powerpc/xmon: avoid format string leaking to printk

This makes sure format strings cannot leak into printk (the string has already been correctly processed for format arguments). Signed-off-by: Kees Cook keesc...@chromium.org --- arch/powerpc/xmon/nonstdio.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/xmon

Re: [PATCH v5 0/4] powerpc/pstore: Add pstore support for nvram partitions

skimmed this, and it looks good to me. Reviewed-by: Kees Cook keesc...@chromium.org -Kees arch/powerpc/include/asm/nvram.h| 50 ++ arch/powerpc/include/asm/rtas.h |5 arch/powerpc/kernel/nvram_64.c | 677 +++ arch/powerpc

Re: [PATCH v4 03/10] arm64: standardize mmap_rnd() usage

On Tue, Mar 17, 2015 at 7:47 AM, Will Deacon will.dea...@arm.com wrote: On Wed, Mar 04, 2015 at 09:10:47PM +, Kees Cook wrote: In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm and x86. This additionally enables mmap ASLR

Re: [PATCH v3 0/10] split ET_DYN ASLR from mmap ASLR

On Mon, Mar 9, 2015 at 9:19 AM, Russell King - ARM Linux li...@arm.linux.org.uk wrote: On Tue, Mar 03, 2015 at 06:10:15PM -0800, Kees Cook wrote: To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already

Re: [PATCH v3 0/8] switch to using asm-generic for seccomp.h

On Wed, Mar 4, 2015 at 5:27 PM, Kees Cook keesc...@chromium.org wrote: Most architectures don't need to do much special for the strict-mode seccomp syscall entries. Remove the redundant headers and reduce the others. Signed-off-by: Kees Cook keesc...@chromium.org Hi Andrew, Just a quick

Re: [PATCH] seccomp: switch to using asm-generic for seccomp.h

On Fri, Feb 27, 2015 at 5:36 PM, Stephen Rothwell s...@canb.auug.org.au wrote: Hi Kees, On Fri, 27 Feb 2015 16:52:29 -0800 Kees Cook keesc...@chromium.org wrote: diff --git a/arch/arm/include/asm/seccomp.h b/arch/arm/include/asm/seccomp.h index 52b156b341f5..66ca6a30bf5c 100644 --- a/arch

[PATCH v2] seccomp: switch to using asm-generic for seccomp.h

Most architectures don't need to do anything special for the strict seccomp syscall entries. Remove the redundant headers and reduce the others. Signed-off-by: Kees Cook keesc...@chromium.org --- v2: - use Kbuild generic-y instead of explicit #include lines (sfr) --- arch/arm/include/asm/Kbuild

Re: [PATCH 0/5] split ET_DYN ASLR from mmap ASLR

On Mon, Mar 2, 2015 at 1:26 PM, Andrew Morton a...@linux-foundation.org wrote: On Thu, 26 Feb 2015 19:07:09 -0800 Kees Cook keesc...@chromium.org wrote: This separates ET_DYN ASLR from mmap ASLR, as already done on s390. The various architectures that are already randomizing mmap (arm, arm64

[PATCH 4/5] mm: split ET_DYN ASLR from mmap ASLR

for handling ET_DYN ASLR in a separate region from mmap ASLR, as already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE, which is no longer needed. Reported-by: Hector Marco-Gisbert hecma...@upv.es Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/Kconfig| 1 - arch/arm64

[PATCH 3/5] mm: move randomize_et_dyn into ELF_ET_DYN_BASE

in the same ET_DYN randomization on s390. Additionally removes a copy/pasted unused arm64 extern. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm64/include/asm/elf.h | 1 - arch/s390/include/asm/elf.h | 9 + arch/s390/mm/mmap.c | 11 --- 3 files changed, 5

[PATCH 1/5] arm: factor out mmap ASLR into mmap_rnd

In preparation for exporting per-arch mmap randomization functions, this moves the ASLR calculations for mmap on ARM into a separate routine. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/mm/mmap.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git

[PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR

To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already randomizing mmap (arm, arm64, mips, powerpc, s390, and x86), have their various forms of arch_mmap_rnd() made available via the new

[PATCH 2/5] mm: expose arch_mmap_rnd when available

(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE for describing this feature on architectures that support it (which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390 already does this witout the ARCH_BINFMT_ELF_RANDOMIZE_PIE logic). Signed-off-by: Kees Cook keesc...@chromium.org --- arch

[PATCH 5/5] mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE

-off-by: Kees Cook keesc...@chromium.org --- arch/Kconfig | 1 + arch/arm/include/asm/elf.h | 4 arch/arm64/include/asm/elf.h | 4 arch/mips/include/asm/elf.h| 4 arch/powerpc/include/asm/elf.h | 4 arch/s390/include/asm/elf.h| 3 --- arch/x86

Re: [PATCH] Fix offset2lib issue for x86*, ARM*, PowerPC and MIPS

On Thu, Feb 26, 2015 at 4:11 PM, Kees Cook keesc...@chromium.org wrote: On Thu, Feb 26, 2015 at 4:06 PM, Andrew Morton a...@linux-foundation.org wrote: On Thu, 26 Feb 2015 15:37:37 -0800 Kees Cook keesc...@chromium.org wrote: Agh, no, please let's avoid the CONFIG addition

Re: [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR

On Mon, Mar 2, 2015 at 11:31 PM, Ingo Molnar mi...@kernel.org wrote: * Kees Cook keesc...@chromium.org wrote: To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already randomizing mmap (arm, arm64, mips

Re: [PATCH v2] seccomp: switch to using asm-generic for seccomp.h

On Tue, Mar 3, 2015 at 12:30 AM, Ingo Molnar mi...@kernel.org wrote: * Kees Cook keesc...@chromium.org wrote: Most architectures don't need to do anything special for the strict seccomp syscall entries. Remove the redundant headers and reduce the others. 19 files changed, 27 insertions

[PATCH v4 06/10] s390: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm and x86, and extracts the checking of PF_RANDOMIZE. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/s390/mm/mmap.c | 34 +++--- 1 file changed, 23

[PATCH v4 02/10] x86: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm, and extracts the checking of PF_RANDOMIZE. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/x86/mm/mmap.c | 36 1 file changed, 20

[PATCH v4 10/10] mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE

-off-by: Kees Cook keesc...@chromium.org --- arch/Kconfig | 1 + arch/arm/include/asm/elf.h | 4 arch/arm64/include/asm/elf.h | 4 arch/mips/include/asm/elf.h| 4 arch/powerpc/include/asm/elf.h | 4 arch/s390/include/asm/elf.h| 3 --- arch/x86

[PATCH v4 07/10] mm: expose arch_mmap_rnd when available

(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE for describing this feature on architectures that support it (which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390 already supports a separated ET_DYN ASLR from mmap ASLR without the ARCH_BINFMT_ELF_RANDOMIZE_PIE logic). Signed-off-by: Kees

[PATCH v4 03/10] arm64: standardize mmap_rnd() usage

declaration of an unused function. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm64/include/asm/elf.h | 1 - arch/arm64/mm/mmap.c | 18 +++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index

[PATCH v4 04/10] mips: extract logic for mmap_rnd()

In preparation for splitting out ET_DYN ASLR, extract the mmap ASLR selection into a separate function. Signed-off-by: Kees Cook keesc...@chromium.org --- It seems the entropy gets smaller as the PAGE_SIZE increases. Is this intentional? --- arch/mips/mm/mmap.c | 24 1

Re: [PATCH 4/5] mm: split ET_DYN ASLR from mmap ASLR

On Tue, Mar 3, 2015 at 8:16 PM, Michael Ellerman m...@ellerman.id.au wrote: On Mon, 2015-03-02 at 16:19 -0800, Kees Cook wrote: This fixes the offset2lib weakness in ASLR for arm, arm64, mips, powerpc, and x86. The problem is that if there is a leak of ASLR from the executable (ET_DYN

[PATCH v4 05/10] powerpc: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm and x86. Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Michael Ellerman m...@ellerman.id.au --- Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs use

[PATCH v4 01/10] arm: factor out mmap ASLR into mmap_rnd

In preparation for splitting out ET_DYN ASLR, this moves the ASLR calculations for mmap on ARM into a separate routine, similar to x86. This also removes the redundant check of personality (PF_RANDOMIZE is already set before calling arch_pick_mmap_layout). Signed-off-by: Kees Cook keesc

[PATCH v4 0/10] split ET_DYN ASLR from mmap ASLR

To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already randomizing mmap (arm, arm64, mips, powerpc, s390, and x86), have their various forms of arch_mmap_rnd() made available via the new

Re: [PATCH v4 0/10] split ET_DYN ASLR from mmap ASLR

On Wed, Mar 4, 2015 at 1:54 PM, Ingo Molnar mi...@kernel.org wrote: * Kees Cook keesc...@chromium.org wrote: To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already randomizing mmap (arm, arm64, mips

[PATCH v4 09/10] mm: split ET_DYN ASLR from mmap ASLR

arch_mmap_rnd() into the ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR, as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE, which is no longer needed. Reported-by: Hector Marco-Gisbert hecma...@upv.es Signed-off-by: Kees Cook keesc...@chromium.org

[PATCH v4 08/10] s390: redefine randomize_et_dyn for ELF_ET_DYN_BASE

In preparation for moving ET_DYN randomization into the ELF loader (which requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN randomization in a call to arch_mmap_rnd(). This refactoring results in the same ET_DYN randomization on s390. Signed-off-by: Kees Cook keesc

[PATCH v3 8/8] x86: switch to using asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. The obsolete sigreturn syscall override is retained in 32-bit mode, and the ia32 syscall overrides are used in the compat case. Remaining definitions were identical. Signed-off-by: Kees Cook

[PATCH v3 0/8] switch to using asm-generic for seccomp.h

Most architectures don't need to do much special for the strict-mode seccomp syscall entries. Remove the redundant headers and reduce the others. Signed-off-by: Kees Cook keesc...@chromium.org --- v3: - split patch series by architecture - fix up architectures that need sigreturn overrides (ingo

[PATCH v3 6/8] powerpc: switch to using asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. The obsolete sigreturn in COMPAT mode is retained as an override. Remaining definitions are identical, though they incorrectly appeared in uapi, which has been corrected. Signed-off-by: Kees

[PATCH v3 1/8] seccomp: allow COMPAT sigreturn overrides

Some architectures may need to override the compat sigreturn definition, as is already possible in the non-compat case. Signed-off-by: Kees Cook keesc...@chromium.org --- include/asm-generic/seccomp.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/asm-generic/seccomp.h b/include

[PATCH v3 3/8] microblaze: use asm-generic for seccomp.h

are identical. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/microblaze/include/asm/seccomp.h | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/arch/microblaze/include/asm/seccomp.h b/arch/microblaze/include/asm/seccomp.h index 0d912758a0d7..204618a2ce84 100644 --- a/arch

[PATCH v3 5/8] parisc: switch to using asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. Definitions were identical. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/parisc/include/asm/Kbuild| 1 + arch/parisc/include/asm/seccomp.h | 16 2 files

[PATCH v3 2/8] arm: use asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. Definitions were identical. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/include/asm/Kbuild| 1 + arch/arm/include/asm/seccomp.h | 11 --- 2 files changed, 1

[PATCH v3 7/8] sparc: switch to using asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. The obsolete sigreturn in COMPAT mode is retained as an override. Remaining definitions are identical. Also corrected missing #define for header reinclusion protection. Signed-off-by: Kees

[PATCH v3 4/8] mips: switch to using asm-generic for seccomp.h

Switch to using the newly created asm-generic/seccomp.h for the seccomp strict mode syscall definitions. COMPAT definitions retain their overrides and the remaining definitions were identical. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/mips/include/asm/seccomp.h | 7 ++- 1 file

[PATCH v3 05/10] powerpc: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm and x86. Signed-off-by: Kees Cook keesc...@chromium.org --- Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs use mm-mmap_base = TASK_UNMAPPED_BASE

[PATCH v3 04/10] mips: extract logic for mmap_rnd()

In preparation for splitting out ET_DYN ASLR, extract the mmap ASLR selection into a separate function. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/mips/mm/mmap.c | 24 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/arch/mips/mm/mmap.c b/arch

[PATCH v3 06/10] s390: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm and x86, and extracts the checking of PF_RANDOMIZE. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/s390/mm/mmap.c | 34 +++--- 1 file changed, 23

[PATCH v3 09/10] mm: split ET_DYN ASLR from mmap ASLR

for handling ET_DYN ASLR in a separate region from mmap ASLR, as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE, which is no longer needed. Reported-by: Hector Marco-Gisbert hecma...@upv.es Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/Kconfig| 1 - arch/arm64

[PATCH v3 01/10] arm: factor out mmap ASLR into mmap_rnd

In preparation for splitting out ET_DYN ASLR, this moves the ASLR calculations for mmap on ARM into a separate routine, similar to x86. This also removes the redundant check of personality (PF_RANDOMIZE is already set before calling arch_pick_mmap_layout). Signed-off-by: Kees Cook keesc

[PATCH v3 02/10] x86: standardize mmap_rnd() usage

In preparation for splitting out ET_DYN ASLR, this refactors the use of mmap_rnd() to be used similarly to arm, and extracts the checking of PF_RANDOMIZE. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/x86/mm/mmap.c | 36 1 file changed, 20

[PATCH v3 07/10] mm: expose arch_mmap_rnd when available

(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE for describing this feature on architectures that support it (which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390 already supports a separated ET_DYN ASLR from mmap ASLR without the ARCH_BINFMT_ELF_RANDOMIZE_PIE logic). Signed-off-by: Kees

[PATCH v3 08/10] s390: redefine randomize_et_dyn for ELF_ET_DYN_BASE

In preparation for moving ET_DYN randomization into the ELF loader (which requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN randomization in a call to arch_mmap_rnd(). This refactoring results in the same ET_DYN randomization on s390. Signed-off-by: Kees Cook keesc

[PATCH v3 0/10] split ET_DYN ASLR from mmap ASLR

To address the offset2lib ASLR weakness[1], this separates ET_DYN ASLR from mmap ASLR, as already done on s390. The architectures that are already randomizing mmap (arm, arm64, mips, powerpc, s390, and x86), have their various forms of arch_mmap_rnd() made available via the new

[PATCH v3 03/10] arm64: standardize mmap_rnd() usage

declaration of an unused function. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm64/include/asm/elf.h | 1 - arch/arm64/mm/mmap.c | 18 +++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index

[PATCH v3 10/10] mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE

-off-by: Kees Cook keesc...@chromium.org --- arch/Kconfig | 1 + arch/arm/include/asm/elf.h | 4 arch/arm64/include/asm/elf.h | 4 arch/mips/include/asm/elf.h| 4 arch/powerpc/include/asm/elf.h | 4 arch/s390/include/asm/elf.h| 3 --- arch/x86

[PATCH] seccomp: switch to using asm-generic for seccomp.h

Most architectures don't need to do anything special for the strict seccomp syscall entries. Remove the redundant headers and reduce the others. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/include/asm/seccomp.h | 12 +--- arch/microblaze/include/asm/seccomp.h

Re: [PATCH] Fix offset2lib issue for x86*, ARM*, PowerPC and MIPS

/aslrv2.html Signed-off-by: Hector Marco-Gisbert hecma...@upv.es Signed-off-by: Ismael Ripoll irip...@upv.es Acked-by: Kees Cook keesc...@chromium.org diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 97d07ed..ee7ea7e 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1,7

Re: [PATCH] Fix offset2lib issue for x86*, ARM*, PowerPC and MIPS

Marinas catalin.mari...@arm.com Cc: Hector Marco Gisbert hecma...@upv.es Cc: Hector Marco-Gisbert hecma...@upv.es Cc: Ingo Molnar mi...@kernel.org Cc: Ismael Ripoll irip...@upv.es Cc: Kees Cook keesc...@chromium.org Cc: Ralf Baechle r...@linux-mips.org Cc: Russell King r...@arm.linux.org.uk Cc

[PATCH 3/5] mm: move randomize_et_dyn into ELF_ET_DYN_BASE

This moves s390's randomize_et_dyn base into ELF_ET_DYN_BASE, and removes an unused arm64 extern. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm64/include/asm/elf.h | 1 - arch/s390/include/asm/elf.h | 9 + arch/s390/mm/mmap.c | 11 --- 3 files changed, 5

[PATCH 0/5] split ET_DYN ASLR from mmap ASLR

This separates ET_DYN ASLR from mmap ASLR, as already done on s390. The various architectures that are already randomizing mmap (arm, arm64, mips, powerpc, s390, and x86), have their various forms of arch_mmap_rnd() made available via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,

[PATCH 2/5] mm: expose arch_mmap_rnd when available

When an architecture fully supports randomizing the ELF load location, the arch_mmap_rnd() function becomes available. Rename and expose these functions where they exist. Introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/Kconfig

[PATCH 1/5] arm: factor out mmap ASLR into mmap_rnd

Move logic for mmap ASLR into separate function. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/mm/mmap.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c index 5e85ed371364..0f8bc158f2c6 100644 --- a/arch/arm

[PATCH 5/5] mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE

On architectures that define CONFIG_ARCH_HAS_ELF_RANDOMIZE, collapse the function declarations while continuing to handle CONFIG_COMPAT_BRK. Signed-off-by: Kees Cook keesc...@chromium.org --- arch/Kconfig | 1 + arch/arm/include/asm/elf.h | 4 arch/arm64/include/asm

[PATCH 4/5] mm: split ET_DYN ASLR from mmap ASLR

This moves arch_mmap_rnd() into the ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR, as already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE. Reported-by: Hector Marco-Gisbert hecma...@upv.es Signed-off-by: Kees Cook keesc...@chromium.org --- arch/arm/Kconfig

Re: [PATCH 1/2] Move the pt_regs_offset struct definition from arch to common include file

codify into the selftests directory? It seems like a great thing to capture in a single place somewhere (the register lists, that is). -Kees Acked-by: Michael Ellerman m...@ellerman.id.au cheers Thanks, -dl -- Kees Cook Chrome OS Security

Re: [PATCH 0/2] Consolidate redundant register/stack access code

kernel/ptrace.c| 38 ++ 16 files changed, 116 insertions(+), 363 deletions(-) delete mode 100644 arch/sh/kernel/ptrace.c I love the deletions:insertions ratio! :) Reviewed-by: Kees Cook keesc...@chromium.org I wonder why arm64 doesn't define

Re: [PATCH v2] powerpc/kernel: Enable seccomp filter

-by: Kees Cook keesc...@chromium.org --- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/ptrace.c | 41 - 2 files changed, 41 insertions(+), 1 deletion(-) v2: The previous version didn't compile for CONFIG_SECCOMP=n. To fix it up I moved

Re: [PATCH 01/11] powerpc/kernel: Switch to using MAX_ERRNO

...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/uapi/asm/errno.h | 2 -- arch/powerpc/kernel/entry_32.S| 3 ++- arch/powerpc/kernel/entry_64.S| 5 +++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/include/uapi

Re: [PATCH 05/11] powerpc: Rework syscall_get_arguments() so there is only one loop

place to update. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/asm/syscall.h | 19 --- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch

Re: [PATCH 09/11] powerpc/kernel: Enable seccomp filter

, which may have been modified by seccomp, which allows seccomp to modify the first syscall paramater and allow the syscall to proceed. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/Kconfig | 1 + arch

Re: [PATCH 04/11] powerpc: Don't negate error in syscall_set_return_value()

though the value passed in is already negative. So remove the negation in syscall_set_return_value(), and expect the caller to do it like all other implementations do. Also add a comment about the ccr handling. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc

Re: [PATCH 08/11] powerpc/kernel: Add SIG_SYS support for compat tasks

is seccomp filter, which we don't support yet. So before we enable seccomp filter, add compat handling for SIGSYS. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/asm/compat.h | 7 +++ arch/powerpc/kernel

Re: [PATCH 11/11] selftests/seccomp: Add powerpc support

like powerpc exposes syscall_restart? Seems like ARM remains the odd-arch-out on this. :P) Thanks! -Kees Acked-by: Kees Cook keesc...@chromium.org Signed-off-by: Michael Ellerman m...@ellerman.id.au --- tools/testing/selftests/seccomp/seccomp_bpf.c | 9 - 1 file changed, 8 insertions

Re: [PATCH 10/11] selftests/seccomp: Make seccomp tests work on big endian

samples/seccomp/bpf-helper.h which changes the offset on big endian to account for this. Signed-off-by: Michael Ellerman m...@ellerman.id.au Acked-by: Kees Cook keesc...@chromium.org Thanks for fixing the error message! :) -Kees --- tools/testing/selftests/seccomp/seccomp_bpf.c | 6

Re: [PATCH 03/11] powerpc: Drop unused syscall_get_error()

with TIF_NOERROR. Although we could fix those, until it has a caller and it's clear what semantics the caller wants it's just untested code. So drop it. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/asm

Re: [PATCH 06/11] powerpc: Use orig_gpr3 in syscall_get_arguments()

() while we're here, even though it's never used. Signed-off-by: Michael Ellerman m...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/asm/syscall.h | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/powerpc

Re: [PATCH 02/11] powerpc/kernel: Change the do_syscall_trace_enter() API

...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/kernel/entry_32.S | 4 arch/powerpc/kernel/entry_64.S | 23 ++-- arch/powerpc/kernel/ptrace.c | 48 -- 3 files changed, 58 insertions(+), 17

Re: [PATCH 07/11] powerpc: Change syscall_get_nr() to return int

...@ellerman.id.au Reviewed-by: Kees Cook keesc...@chromium.org -Kees --- arch/powerpc/include/asm/syscall.h | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 8d79a87c0511

Re: [RFC PATCH 09/12] powerpc/kernel: Add SIG_SYS support for compat tasks

(TRAP_info, info, sizeof(TRAP_info)); TRAP_nr = nr; } This chunk looks like left-over debugging? -Kees -- 2.1.0 -- Kees Cook Chrome OS Security ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo

Re: [RFC PATCH 11/12] selftests/seccomp: Make seccomp tests work on big endian

the particular (impossible) failure condition? wut? Unknown __BYTE_ORDER?!. Not a huge deal, but I always like verbose errors. :) Especially for impossible situations. :) -Kees #define SIBLING_EXIT_UNKILLED 0xbadbeef #define SIBLING_EXIT_FAILURE 0xbadface -- 2.1.0 -- Kees Cook Chrome OS

Re: [RFC PATCH 12/12] selftests/seccomp: Add powerpc support

On Wed, Jul 15, 2015 at 12:37 AM, Michael Ellerman m...@ellerman.id.au wrote: Wire up the syscall number and regs so the tests work on powerpc. Signed-off-by: Michael Ellerman m...@ellerman.id.au Acked-by: Kees Cook keesc...@chromium.org -Kees --- tools/testing/selftests/seccomp

[PATCH 00/14] run seccomp after ptrace

There has been a long-standing (and documented) issue with seccomp where ptrace can be used to change a syscall out from under seccomp. This is a problem for containers and other wider seccomp filtered environments where ptrace needs to remain available, as it allows for an escape of the seccomp

[PATCH 01/14] seccomp: add tests for ptrace hole

places where ptrace is desired even under seccomp filters. This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Andy Lutomirski <l...@kernel.org> --- tools/testing/selftests/seccomp/seccomp

[PATCH 09/14] MIPS/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Ralf Baechle <r...@linux-mips.org> Cc: "Maciej W. Rozycki" <ma...@imgtec.com> Cc: James Hogan <james.ho...@imgtec.com> Cc: linux-m...@li

[PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work

From: Andy Lutomirski <l...@kernel.org> I added two-phase syscall entry work back when the entry slow path was very slow. Nowadays, the entry slow path is fast and two-phase entry work serves no purpose. Remove it. Signed-off-by: Andy Lutomirski <l...@kernel.org> Signed-off-b

[PATCH 08/14] arm64/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Catalin Marinas <catalin.mari...@arm.com> Cc: Will Deacon <will.dea...@arm.com> Cc: Mark Rutland <mark.rutl...@arm.com> Cc: linux-arm-ker...@lists

[PATCH 07/14] arm/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Russell King <li...@armlinux.org.uk> Cc: linux-arm-ker...@lists.infradead.org --- arch/arm/kernel/ptrace.c | 11 ++- 1 file changed, 6 insertions(+),

[PATCH 05/14] seccomp: recheck the syscall after RET_TRACE

When RET_TRACE triggers, a tracer may change a syscall into something that should be filtered by seccomp. This re-runs seccomp after a trace event to make sure things continue to pass. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Andy Lutomirski <l...@kernel.org> --- kern

[PATCH 04/14] seccomp: remove 2-phase API

Since nothing is using the 2-phase API, and it adds more complexity than benefit, remove it. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Andy Lutomirski <l...@kernel.org> --- include/linux/seccomp.h | 6 --- kernel/seccomp.c

[PATCH 10/14] parisc/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: "James E.J. Bottomley" <j...@parisc-linux.org> Cc: Helge Deller <del...@gmx.de> Cc: linux-par...@vger.kernel.org --- arch/parisc/kernel/pt

[PATCH 11/14] s390/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Heiko Carstens <heiko.carst...@de.ibm.com> Cc: Martin Schwidefsky <schwidef...@de.ibm.com> Cc: linux-s...@vger.kernel.org --- arch/s390/ke

[PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing()

linux-a...@vger.kernel.org Signed-off-by: Andy Lutomirski <l...@kernel.org> Signed-off-by: Kees Cook <keesc...@chromium.org> --- arch/arm/kernel/ptrace.c | 2 +- arch/arm64/kernel/ptrace.c| 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/parisc/kernel/ptra

[PATCH 06/14] x86/ptrace: run seccomp after ptrace

Lutomirski <l...@kernel.org> Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: x...@kernel.org Cc: Andy Lutomirski <l...@kernel.org> --- arch/x86/entry/common.c | 22 -- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/arch/x86/entry/common.

[PATCH 12/14] powerpc/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Michael Ellerman <m...@ellerman.id.au> Cc: Benjamin Herrenschmidt <b...@kernel.crashing.org> Cc: Paul Mackerras <pau...@samba.org> Cc: linux

[PATCH 14/14] um/ptrace: run seccomp after ptrace

Close the hole where ptrace can change a syscall out from under seccomp. Signed-off-by: Kees Cook <keesc...@chromium.org> Cc: Jeff Dike <jd...@addtoit.com> Cc: Richard Weinberger <rich...@nod.at> Cc: user-mode-linux-de...@lists.sourceforge.net --- arch/um/kernel/skas/syscall.

  1   2   3   4   5   6   7   8   >