From patchwork Tue Feb  7 23:18:51 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9561513
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8991C60236
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  7 Feb 2017 23:27:20 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F58E2847D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  7 Feb 2017 23:27:20 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7202728490; Tue,  7 Feb 2017 23:27:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC3DC2847D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  7 Feb 2017 23:27:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754279AbdBGX1T (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 7 Feb 2017 18:27:19 -0500
Received: from mail-pf0-f177.google.com ([209.85.192.177]:33312 "EHLO
	mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751743AbdBGX1S (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 7 Feb 2017 18:27:18 -0500
Received: by mail-pf0-f177.google.com with SMTP id y143so36676966pfb.0
	for <linux-security-module@vger.kernel.org>;
	Tue, 07 Feb 2017 15:27:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
	bh=kt0inSEUEqJCAf8I76j5XWiv+Gxr/DNJPZ2YH6W5CEc=;
	b=INnL7sh401slWDSwncO9ANdE1WDUljs3/Yz6tkF0C5xELhCK15fRpjaqWwDBuglFr2
	et9Z3fF5wrFHgkgAiYkwRt6jMbYM+NsAWEo0tTm0zyMmNwtrpz0amOiIGPKUuNdkdsnQ
	gTYnm1Z7Kpbpg29ddLPrgvTMSwODNmTlsKKBg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition;
	bh=kt0inSEUEqJCAf8I76j5XWiv+Gxr/DNJPZ2YH6W5CEc=;
	b=YRoGzreyHLF9TPtjYWXeGKHg49P5pwTyj5uh0JVFUTjGNkdiPl/5e+q9J0xEM6G+I4
	UnBSpr5sGzvnH9pcxGtRbThVOPHKEw+MdjhXh9nKfjG4VH2O3eHt5Q1+EqXHJtbRgF5b
	Ghc64ww1UmAhqMTGfJTyUwGXIYfRwwpcbNPU6lfftAbi0xYjgiDVHdCd1sORyOSDwiII
	pN8aXjgRx/+NUhDGJOTLIdHlMif+gQRiXbqv0t+aHfLGVEU7McJBwKQmH6gqcfAYHpZw
	UIlKKe3Z4VsNUJEzJCzVBqkqht/oxbo+N6SiELov4sJoBuxhFM2fbXt88H0ZEh8+Gwye
	/J8A==
X-Gm-Message-State: 
 AIkVDXKUa3JpeIoyzUFpYMV6vgYYBJ48QrYsdnIyWap5IIC8JXwMWQNKaxrMnkG+90T6ulBy
X-Received: by 10.84.194.37 with SMTP id g34mr29417365pld.105.1486509532726;
	Tue, 07 Feb 2017 15:18:52 -0800 (PST)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	z74sm14084444pfd.70.2017.02.07.15.18.51
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 07 Feb 2017 15:18:51 -0800 (PST)
Date: Tue, 7 Feb 2017 15:18:51 -0800
From: Kees Cook <keescook@chromium.org>
To: James Morris <james.l.morris@oracle.com>
Cc: Mike Frysinger <vapier@gentoo.org>, Paul Moore <paul@paul-moore.com>,
	Tyler Hicks <tyhicks@canonical.com>, Andrei Vagin <avagin@virtuozzo.com>,
	Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] seccomp: Only dump core when single-threaded
Message-ID: <20170207231851.GA129818@beast>
MIME-Version: 1.0
Content-Disposition: inline
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The SECCOMP_RET_KILL filter return code has always killed the current
thread, not the entire process. Changing this as a side-effect of dumping
core isn't a safe thing to do (a few test suites have already flagged this
behavioral change). Instead, restore the RET_KILL semantics, but still
dump core when a RET_KILL delivers SIGSYS to a single-threaded process.

Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL")
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Andrei Vagin <avagin@virtuozzo.com>
---
 kernel/seccomp.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f8f88ebcb3ba..e15185c28de5 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
 	default: {
 		siginfo_t info;
 		audit_seccomp(this_syscall, SIGSYS, action);
-		/* Show the original registers in the dump. */
-		syscall_rollback(current, task_pt_regs(current));
-		/* Trigger a manual coredump since do_exit skips it. */
-		seccomp_init_siginfo(&info, this_syscall, data);
-		do_coredump(&info);
+		/* Dump core only if this is the last remaining thread. */
+		if (get_nr_threads(current) == 1) {
+			/* Show the original registers in the dump. */
+			syscall_rollback(current, task_pt_regs(current));
+			/* Trigger a manual coredump since do_exit skips it. */
+			seccomp_init_siginfo(&info, this_syscall, data);
+			do_coredump(&info);
+		}
 		do_exit(SIGSYS);
 	}
 	}