Message ID | 20170207231851.GA129818@beast (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Tue, Feb 07, 2017 at 03:18:51PM -0800, Kees Cook wrote: > The SECCOMP_RET_KILL filter return code has always killed the current > thread, not the entire process. Changing this as a side-effect of dumping > core isn't a safe thing to do (a few test suites have already flagged this > behavioral change). Instead, restore the RET_KILL semantics, but still > dump core when a RET_KILL delivers SIGSYS to a single-threaded process. > > Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") > Signed-off-by: Kees Cook <keescook@chromium.org> All CRIU tests passed with this patch. Thanks! Acked-by: Andrei Vagin <avagin@virtuozzo.com> > --- > kernel/seccomp.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index f8f88ebcb3ba..e15185c28de5 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > default: { > siginfo_t info; > audit_seccomp(this_syscall, SIGSYS, action); > - /* Show the original registers in the dump. */ > - syscall_rollback(current, task_pt_regs(current)); > - /* Trigger a manual coredump since do_exit skips it. */ > - seccomp_init_siginfo(&info, this_syscall, data); > - do_coredump(&info); > + /* Dump core only if this is the last remaining thread. */ > + if (get_nr_threads(current) == 1) { > + /* Show the original registers in the dump. */ > + syscall_rollback(current, task_pt_regs(current)); > + /* Trigger a manual coredump since do_exit skips it. */ > + seccomp_init_siginfo(&info, this_syscall, data); > + do_coredump(&info); > + } > do_exit(SIGSYS); > } > } > -- > 2.7.4 > > > -- > Kees Cook > Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Feb 13, 2017 at 10:37 PM, Andrei Vagin <avagin@virtuozzo.com> wrote: > On Tue, Feb 07, 2017 at 03:18:51PM -0800, Kees Cook wrote: >> The SECCOMP_RET_KILL filter return code has always killed the current >> thread, not the entire process. Changing this as a side-effect of dumping >> core isn't a safe thing to do (a few test suites have already flagged this >> behavioral change). Instead, restore the RET_KILL semantics, but still >> dump core when a RET_KILL delivers SIGSYS to a single-threaded process. >> >> Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") >> Signed-off-by: Kees Cook <keescook@chromium.org> > > All CRIU tests passed with this patch. Thanks! > > Acked-by: Andrei Vagin <avagin@virtuozzo.com> Thanks for testing! James, can you make sure this makes it into your -next tree for v4.11? Thanks! -Kees > >> --- >> kernel/seccomp.c | 13 ++++++++----- >> 1 file changed, 8 insertions(+), 5 deletions(-) >> >> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >> index f8f88ebcb3ba..e15185c28de5 100644 >> --- a/kernel/seccomp.c >> +++ b/kernel/seccomp.c >> @@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, >> default: { >> siginfo_t info; >> audit_seccomp(this_syscall, SIGSYS, action); >> - /* Show the original registers in the dump. */ >> - syscall_rollback(current, task_pt_regs(current)); >> - /* Trigger a manual coredump since do_exit skips it. */ >> - seccomp_init_siginfo(&info, this_syscall, data); >> - do_coredump(&info); >> + /* Dump core only if this is the last remaining thread. */ >> + if (get_nr_threads(current) == 1) { >> + /* Show the original registers in the dump. */ >> + syscall_rollback(current, task_pt_regs(current)); >> + /* Trigger a manual coredump since do_exit skips it. */ >> + seccomp_init_siginfo(&info, this_syscall, data); >> + do_coredump(&info); >> + } >> do_exit(SIGSYS); >> } >> } >> -- >> 2.7.4 >> >> >> -- >> Kees Cook >> Pixel Security
On Tue, 14 Feb 2017, Kees Cook wrote:
> James, can you make sure this makes it into your -next tree for v4.11?
Queued for next at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue
On Wed, Feb 15, 2017 at 09:34:35AM +1100, James Morris wrote: > On Tue, 14 Feb 2017, Kees Cook wrote: > > > James, can you make sure this makes it into your -next tree for v4.11? > > Queued for next at: > > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue The b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") is in the Linus' tree, but this patch isn't there yet. And I don't see it event in linux-next. Do you have any plan to push it into the linus' tree? https://travis-ci.org/avagin/criu/builds/204341051 Thanks, Andrei > > -- > James Morris > <jmorris@namei.org> > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Feb 22, 2017 at 3:35 PM, Andrei Vagin <avagin@virtuozzo.com> wrote: > On Wed, Feb 15, 2017 at 09:34:35AM +1100, James Morris wrote: >> On Tue, 14 Feb 2017, Kees Cook wrote: >> >> > James, can you make sure this makes it into your -next tree for v4.11? >> >> Queued for next at: >> >> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue > > The b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") is > in the Linus' tree, but this patch isn't there yet. And I don't see it > event in linux-next. > > Do you have any plan to push it into the linus' tree? > > https://travis-ci.org/avagin/criu/builds/204341051 Yup, I already called James's attention to this. He just sent a pull request with the fix. -Kees
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f8f88ebcb3ba..e15185c28de5 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, default: { siginfo_t info; audit_seccomp(this_syscall, SIGSYS, action); - /* Show the original registers in the dump. */ - syscall_rollback(current, task_pt_regs(current)); - /* Trigger a manual coredump since do_exit skips it. */ - seccomp_init_siginfo(&info, this_syscall, data); - do_coredump(&info); + /* Dump core only if this is the last remaining thread. */ + if (get_nr_threads(current) == 1) { + /* Show the original registers in the dump. */ + syscall_rollback(current, task_pt_regs(current)); + /* Trigger a manual coredump since do_exit skips it. */ + seccomp_init_siginfo(&info, this_syscall, data); + do_coredump(&info); + } do_exit(SIGSYS); } }
The SECCOMP_RET_KILL filter return code has always killed the current thread, not the entire process. Changing this as a side-effect of dumping core isn't a safe thing to do (a few test suites have already flagged this behavioral change). Instead, restore the RET_KILL semantics, but still dump core when a RET_KILL delivers SIGSYS to a single-threaded process. Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") Signed-off-by: Kees Cook <keescook@chromium.org> --- kernel/seccomp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)