diff options
| author |   Linus Torvalds <torvalds@linux-foundation.org> | 2019-11-30 17:23:16 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-11-30 17:23:16 -0800 |
| commit | b94ae8ad9fe79da61231999f347f79645b909bda (patch) | |
| tree | 094ebce460d7903a1ab94616dd1f021ab9795955 /include/uapi | |
| parent | Merge tag 'audit-pr-20191126' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit (diff) | |
| parent | seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE (diff) | |
| download | linux-dev-b94ae8ad9fe79da61231999f347f79645b909bda.tar.xz linux-dev-b94ae8ad9fe79da61231999f347f79645b909bda.zip | |
Merge tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull seccomp updates from Kees Cook:
"Mostly this is implementing the new flag SECCOMP_USER_NOTIF_FLAG_CONTINUE,
but there are cleanups as well.
- implement SECCOMP_USER_NOTIF_FLAG_CONTINUE (Christian Brauner)
- fixes to selftests (Christian Brauner)
- remove secure_computing() argument (Christian Brauner)"
* tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test
seccomp: simplify secure_computing()
seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE
seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE
seccomp: avoid overflow in implicit constant conversion
Diffstat (limited to 'include/uapi')
| -rw-r--r-- | include/uapi/linux/seccomp.h | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index 90734aa5aa36..be84d87f1f46 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -76,6 +76,35 @@ struct seccomp_notif { struct seccomp_data data; }; +/* + * Valid flags for struct seccomp_notif_resp + * + * Note, the SECCOMP_USER_NOTIF_FLAG_CONTINUE flag must be used with caution! + * If set by the process supervising the syscalls of another process the + * syscall will continue. This is problematic because of an inherent TOCTOU. + * An attacker can exploit the time while the supervised process is waiting on + * a response from the supervising process to rewrite syscall arguments which + * are passed as pointers of the intercepted syscall. + * It should be absolutely clear that this means that the seccomp notifier + * _cannot_ be used to implement a security policy! It should only ever be used + * in scenarios where a more privileged process supervises the syscalls of a + * lesser privileged process to get around kernel-enforced security + * restrictions when the privileged process deems this safe. In other words, + * in order to continue a syscall the supervising process should be sure that + * another security mechanism or the kernel itself will sufficiently block + * syscalls if arguments are rewritten to something unsafe. + * + * Similar precautions should be applied when stacking SECCOMP_RET_USER_NOTIF + * or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on the + * same syscall, the most recently added filter takes precedence. This means + * that the new SECCOMP_RET_USER_NOTIF filter can override any + * SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing all + * such filtered syscalls to be executed by sending the response + * SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can equally + * be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE. + */ +#define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0) + struct seccomp_notif_resp { __u64 id; __s64 val; |