Message ID | 20231009124046.74710-3-hengqi.chen@gmail.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2228200vqo; Mon, 9 Oct 2023 19:03:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHH8bl+ioNoaFuR+taiFF+tpkMmKFMAQ52YF/0HoJHxynqlSabQ2glOa1lwPLGFm5yxhZIV X-Received: by 2002:a9d:7490:0:b0:6be:fd1c:c228 with SMTP id t16-20020a9d7490000000b006befd1cc228mr15664581otk.1.1696903386159; Mon, 09 Oct 2023 19:03:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696903386; cv=none; d=google.com; s=arc-20160816; b=pM7W0n0mf6P8O7gn/6aNB/JRHzgsTnwo2WVqAqzZ2gghnPd+4CxIALngNAHVfZm9QH mL7UuziT8wJE1mAN3tKj5nfweqfPk2bdcBdoHZAKzrvvRrXJB2Hc8MjHdfzQMdkCoizU qcU5zZtjrdLJsiQr41KHqg4UM+FaXgfWFoSw+FLLpoxIfIYhx7FGowuIL1qtQy2sHIRJ bVoV55P6Qkv0KNyLALc05Qu1Vm/ViGvn54esaKaaEPhR6EannKt4PmRjfuTI6elJE/AO uMIOSe+5WGwrwcIEJDduYFn6LCi9xcWZlivHfuVNSK243XJLnpxywBQQwHwU3iEegCQg kk+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; fh=UUVBB6hdZtgkdevQaSWXrPPcR6FiQNJo3IQxWCli3s0=; b=xOc0pU4G2ZYc5wOa1IjoVm6gVt2edglV9Hckvb2a+6PaoRqBUQxWEDopyPmpQ72+oV weCMItkhjMyNDrGGFxU8Q3aMVAZ7z9hTEDIRJTUS7M47HavXeiosHZ1kulNCRQQQodQ9 YDqYPVc2zEWCgDIDMckJ48WAHqmnyNVsoIZbDHUVnzkTLgvdrOHLo9LoMiSeO18UnjPs +54klIv9BterpZLzaRcIypfr+ey85gFJQr8QVx1j9hdi9l2FI3zIgNrwCNFZF83NRY62 VuYRjtf+pN/1rI2eFyhxr8KyQ643JqX/Qy1Np6hAX/uTHfUGfP7A9FSM7+iDCBkh1QNU IL9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VkNA4XiJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id c5-20020a6566c5000000b00578b93b1b26si10944930pgw.544.2023.10.09.19.03.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:03:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VkNA4XiJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id DE1D58029501; Mon, 9 Oct 2023 19:03:03 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1441839AbjJJCCd (ORCPT <rfc822;rua109.linux@gmail.com> + 20 others); Mon, 9 Oct 2023 22:02:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1441832AbjJJCCb (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 9 Oct 2023 22:02:31 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66C9FC4; Mon, 9 Oct 2023 19:02:28 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-68bed2c786eso3754521b3a.0; Mon, 09 Oct 2023 19:02:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696903347; x=1697508147; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; b=VkNA4XiJCcYgdEC+Ky7EqMyfww1g5Sblz3/KxOvRVW+/HCI7n8YcHO2bLqF7O2lAvn sV7/UBqJZ5Ds/z6RQAiGIfIQ9V2Gwbzkg9Pmu36eZLl6bMxlWd50EhQLSiTamSyu9jZe YF8Fs6Z0G3lwKvncVe7l7NhdhenkpK2mK2p3n/N6k0A25uRokp0uGseUFjKZnB8Mc6Ud aGLwPWQTYlLThMNqDru89H7Cscbyjpz/g25JSsYgXKLdMZIcZTu2ixjxClJvCq8L6gkm 52QYmn8fC7SYwb+bdw2aRbXpqWwwFuddFEV9wel1gAzWrG9KMxwJ9SEZ4l0AOnj9T9s1 hnug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696903347; x=1697508147; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; b=CpvTlZxNxjxZvOeOxjNOAz9nwv0sHEWBumxri9DbgMKvMPlTYgpQGx/xT9rpouMlJY QWS8X5Mo6rcnnz6OeWUBbyV02a1Dv2SomhXznAo9yUkzroNS8sXfg3JRur8+TcfM988I F3S04I8B0UOnVf9XbzwtEWtriwC6zMQOOT9WHJZUelrNbKn669/Ywv7VvrMEr3gpEu0s Zp7ndTHXa6pnWI0GviPHz/kpZ8XHLrRB4i0zHlqaymxGDw+xswjd7+H5c9GXsm2UxRV1 f2gtIYoMMO0OHPgpLwwzAecOLHMgJL5dNH5nxyGJroXANqu2DzJu0F+KbRer09O4K32N H5ug== X-Gm-Message-State: AOJu0YyP/EbMAvDV1V4InvfBBUyC9XYO5uFcJHpnY28Kcigd0o+7yKbc mrKHRArq1jqo80Z4LK37dE23XJU+xE0a1g== X-Received: by 2002:a05:6a20:cea8:b0:171:878f:8f9b with SMTP id if40-20020a056a20cea800b00171878f8f9bmr1060823pzb.26.1696903347428; Mon, 09 Oct 2023 19:02:27 -0700 (PDT) Received: from ubuntu.. ([43.132.98.112]) by smtp.googlemail.com with ESMTPSA id t28-20020aa7939c000000b0068a46cd4120sm7044809pfe.199.2023.10.09.19.02.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:27 -0700 (PDT) From: Hengqi Chen <hengqi.chen@gmail.com> To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH 2/4] seccomp, bpf: Introduce SECCOMP_LOAD_FILTER operation Date: Mon, 9 Oct 2023 12:40:44 +0000 Message-Id: <20231009124046.74710-3-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231009124046.74710-1-hengqi.chen@gmail.com> References: <20231009124046.74710-1-hengqi.chen@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 09 Oct 2023 19:03:03 -0700 (PDT) X-Spam-Level: *** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779332165423743116 X-GMAIL-MSGID: 1779332165423743116 |
Series |
seccomp: Make seccomp filter reusable
|
|
Commit Message
Hengqi Chen
Oct. 9, 2023, 12:40 p.m. UTC
This patch adds a new operation named SECCOMP_LOAD_FILTER.
It accepts the same arguments as SECCOMP_SET_MODE_FILTER
but only performs the loading process. If succeed, return a
new fd associated with the JITed BPF program (the filter).
The filter can then be pinned to bpffs using the returned
fd and reused for different processes. To distinguish the
filter from other BPF progs, BPF_PROG_TYPE_SECCOMP is added.
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
---
include/uapi/linux/bpf.h | 1 +
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 40 ++++++++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+)
Comments
On Mon, Oct 09, 2023 at 12:40:44PM +0000, Hengqi Chen wrote: > This patch adds a new operation named SECCOMP_LOAD_FILTER. > It accepts the same arguments as SECCOMP_SET_MODE_FILTER > but only performs the loading process. If succeed, return a > new fd associated with the JITed BPF program (the filter). > The filter can then be pinned to bpffs using the returned > fd and reused for different processes. To distinguish the > filter from other BPF progs, BPF_PROG_TYPE_SECCOMP is added. > > Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com> This part looks okay, I think. I need to spend some more time looking at the BPF side. I want to make sure it is only possible to build a BPF_PROG_TYPE_SECCOMP prog by going through seccomp. I want to make sure we can never side-load some kind of unexpected program into seccomp, etc. Since BPF_PROG_TYPE_SECCOMP is part of UAPI, is this controllable through the bpf() syscall? One thought I had, though, is I wonder if flags are needed to be included with the fd? I'll ponder this a bit more...
Hi Hengqi, kernel test robot noticed the following build errors: [auto build test ERROR on kees/for-next/seccomp] [also build test ERROR on bpf-next/master bpf/master kees/for-next/pstore kees/for-next/kspp linus/master v6.6-rc5 next-20231010] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Hengqi-Chen/seccomp-Refactor-filter-copy-create-for-reuse/20231010-100354 base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/seccomp patch link: https://lore.kernel.org/r/20231009124046.74710-3-hengqi.chen%40gmail.com patch subject: [PATCH 2/4] seccomp, bpf: Introduce SECCOMP_LOAD_FILTER operation config: um-allyesconfig (https://download.01.org/0day-ci/archive/20231011/202310111556.DzEDzt3Z-lkp@intel.com/config) compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project.git f28c006a5895fc0e329fe15fead81e37457cb1d1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231011/202310111556.DzEDzt3Z-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202310111556.DzEDzt3Z-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu' #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) ^ In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu' #define __le32_to_cpu(x) ((__force __u32)(__le32)(x)) ^ In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ >> kernel/seccomp.c:2046:8: error: implicit declaration of function 'security_bpf_prog_alloc' is invalid in C99 [-Werror,-Wimplicit-function-declaration] ret = security_bpf_prog_alloc(prog->aux); ^ kernel/seccomp.c:2046:8: note: did you mean 'security_msg_msg_alloc'? include/linux/security.h:1245:19: note: 'security_msg_msg_alloc' declared here static inline int security_msg_msg_alloc(struct msg_msg *msg) ^ >> kernel/seccomp.c:2056:8: error: implicit declaration of function 'bpf_prog_new_fd' is invalid in C99 [-Werror,-Wimplicit-function-declaration] ret = bpf_prog_new_fd(prog); ^ 12 warnings and 2 errors generated. vim +/security_bpf_prog_alloc +2046 kernel/seccomp.c 2031 2032 static long seccomp_load_filter(const char __user *filter) 2033 { 2034 struct sock_fprog fprog; 2035 struct bpf_prog *prog; 2036 int ret; 2037 2038 ret = seccomp_copy_user_filter(filter, &fprog); 2039 if (ret) 2040 return ret; 2041 2042 ret = seccomp_prepare_prog(&prog, &fprog); 2043 if (ret) 2044 return ret; 2045 > 2046 ret = security_bpf_prog_alloc(prog->aux); 2047 if (ret) { 2048 bpf_prog_free(prog); 2049 return ret; 2050 } 2051 2052 prog->aux->user = get_current_user(); 2053 atomic64_set(&prog->aux->refcnt, 1); 2054 prog->type = BPF_PROG_TYPE_SECCOMP; 2055 > 2056 ret = bpf_prog_new_fd(prog); 2057 if (ret < 0) 2058 bpf_prog_put(prog); 2059 return ret; 2060 } 2061 #else 2062 static inline long seccomp_set_mode_filter(unsigned int flags, 2063 const char __user *filter) 2064 { 2065 return -EINVAL; 2066 } 2067
Hi Hengqi, kernel test robot noticed the following build errors: [auto build test ERROR on kees/for-next/seccomp] [also build test ERROR on bpf-next/master bpf/master kees/for-next/pstore kees/for-next/kspp linus/master v6.6-rc5 next-20231010] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Hengqi-Chen/seccomp-Refactor-filter-copy-create-for-reuse/20231010-100354 base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/seccomp patch link: https://lore.kernel.org/r/20231009124046.74710-3-hengqi.chen%40gmail.com patch subject: [PATCH 2/4] seccomp, bpf: Introduce SECCOMP_LOAD_FILTER operation config: um-allnoconfig (https://download.01.org/0day-ci/archive/20231011/202310111723.tp3m8LGq-lkp@intel.com/config) compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project.git 4a5ac14ee968ff0ad5d2cc1ffa0299048db4c88a) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231011/202310111723.tp3m8LGq-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202310111723.tp3m8LGq-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 547 | val = __raw_readb(PCI_IOBASE + addr); | ~~~~~~~~~~ ^ include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 560 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); | ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 573 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); | ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu' 35 | #define __le32_to_cpu(x) ((__force __u32)(__le32)(x)) | ^ In file included from kernel/seccomp.c:29: In file included from include/linux/syscalls.h:90: In file included from include/trace/syscall.h:7: In file included from include/linux/trace_events.h:9: In file included from include/linux/hardirq.h:11: In file included from arch/um/include/asm/hardirq.h:5: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/um/include/asm/io.h:24: include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 584 | __raw_writeb(value, PCI_IOBASE + addr); | ~~~~~~~~~~ ^ include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 594 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); | ~~~~~~~~~~ ^ include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 604 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); | ~~~~~~~~~~ ^ include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 692 | readsb(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 700 | readsw(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 708 | readsl(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 717 | writesb(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 726 | writesw(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 735 | writesl(PCI_IOBASE + addr, buffer, count); | ~~~~~~~~~~ ^ >> kernel/seccomp.c:2046:8: error: call to undeclared function 'security_bpf_prog_alloc'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 2046 | ret = security_bpf_prog_alloc(prog->aux); | ^ kernel/seccomp.c:2046:8: note: did you mean 'security_msg_msg_alloc'? include/linux/security.h:1245:19: note: 'security_msg_msg_alloc' declared here 1245 | static inline int security_msg_msg_alloc(struct msg_msg *msg) | ^ >> kernel/seccomp.c:2056:8: error: call to undeclared function 'bpf_prog_new_fd'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 2056 | ret = bpf_prog_new_fd(prog); | ^ 12 warnings and 2 errors generated. vim +/security_bpf_prog_alloc +2046 kernel/seccomp.c 2031 2032 static long seccomp_load_filter(const char __user *filter) 2033 { 2034 struct sock_fprog fprog; 2035 struct bpf_prog *prog; 2036 int ret; 2037 2038 ret = seccomp_copy_user_filter(filter, &fprog); 2039 if (ret) 2040 return ret; 2041 2042 ret = seccomp_prepare_prog(&prog, &fprog); 2043 if (ret) 2044 return ret; 2045 > 2046 ret = security_bpf_prog_alloc(prog->aux); 2047 if (ret) { 2048 bpf_prog_free(prog); 2049 return ret; 2050 } 2051 2052 prog->aux->user = get_current_user(); 2053 atomic64_set(&prog->aux->refcnt, 1); 2054 prog->type = BPF_PROG_TYPE_SECCOMP; 2055 > 2056 ret = bpf_prog_new_fd(prog); 2057 if (ret < 0) 2058 bpf_prog_put(prog); 2059 return ret; 2060 } 2061 #else 2062 static inline long seccomp_set_mode_filter(unsigned int flags, 2063 const char __user *filter) 2064 { 2065 return -EINVAL; 2066 } 2067
On Wed, Oct 11, 2023 at 8:24 AM Kees Cook <keescook@chromium.org> wrote: > > On Mon, Oct 09, 2023 at 12:40:44PM +0000, Hengqi Chen wrote: > > This patch adds a new operation named SECCOMP_LOAD_FILTER. > > It accepts the same arguments as SECCOMP_SET_MODE_FILTER > > but only performs the loading process. If succeed, return a > > new fd associated with the JITed BPF program (the filter). > > The filter can then be pinned to bpffs using the returned > > fd and reused for different processes. To distinguish the > > filter from other BPF progs, BPF_PROG_TYPE_SECCOMP is added. > > > > Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com> > > This part looks okay, I think. I need to spend some more time looking at > the BPF side. I want to make sure it is only possible to build a > BPF_PROG_TYPE_SECCOMP prog by going through seccomp. I want to make sure > we can never side-load some kind of unexpected program into seccomp, > etc. Since BPF_PROG_TYPE_SECCOMP is part of UAPI, is this controllable > through the bpf() syscall? > Currently, it failed at find_prog_type() since we don't register the prog type to BPF. > One thought I had, though, is I wonder if flags are needed to be > included with the fd? I'll ponder this a bit more... > bpf_prog_new_fd() already set O_RDWR and O_CLOEXEC. > -- > Kees Cook
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 70bfa997e896..8890fb776bbb 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -995,6 +995,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_SK_LOOKUP, BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */ BPF_PROG_TYPE_NETFILTER, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index dbfc9b37fcae..ee2c83697810 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -16,6 +16,7 @@ #define SECCOMP_SET_MODE_FILTER 1 #define SECCOMP_GET_ACTION_AVAIL 2 #define SECCOMP_GET_NOTIF_SIZES 3 +#define SECCOMP_LOAD_FILTER 4 /* Valid flags for SECCOMP_SET_MODE_FILTER */ #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 37490497f687..3ae43db3b642 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2028,12 +2028,47 @@ static long seccomp_set_mode_filter(unsigned int flags, seccomp_filter_free(prepared); return ret; } + +static long seccomp_load_filter(const char __user *filter) +{ + struct sock_fprog fprog; + struct bpf_prog *prog; + int ret; + + ret = seccomp_copy_user_filter(filter, &fprog); + if (ret) + return ret; + + ret = seccomp_prepare_prog(&prog, &fprog); + if (ret) + return ret; + + ret = security_bpf_prog_alloc(prog->aux); + if (ret) { + bpf_prog_free(prog); + return ret; + } + + prog->aux->user = get_current_user(); + atomic64_set(&prog->aux->refcnt, 1); + prog->type = BPF_PROG_TYPE_SECCOMP; + + ret = bpf_prog_new_fd(prog); + if (ret < 0) + bpf_prog_put(prog); + return ret; +} #else static inline long seccomp_set_mode_filter(unsigned int flags, const char __user *filter) { return -EINVAL; } + +static inline long seccomp_load_filter(const char __user *filter) +{ + return -EINVAL; +} #endif static long seccomp_get_action_avail(const char __user *uaction) @@ -2095,6 +2130,11 @@ static long do_seccomp(unsigned int op, unsigned int flags, return -EINVAL; return seccomp_get_notif_sizes(uargs); + case SECCOMP_LOAD_FILTER: + if (flags != 0) + return -EINVAL; + + return seccomp_load_filter(uargs); default: return -EINVAL; }