Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
fe6c59dc
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
161
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
fe6c59dc
编写于
7月 20, 2015
作者:
J
James Morris
浏览文件
操作
浏览文件
下载
差异文件
Merge tag 'seccomp-next' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
into next
上级
52721d9d
221272f9
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
31 addition
and
8 deletion
+31
-8
include/linux/ptrace.h
include/linux/ptrace.h
+1
-0
include/linux/seccomp.h
include/linux/seccomp.h
+1
-1
include/uapi/linux/ptrace.h
include/uapi/linux/ptrace.h
+4
-2
kernel/ptrace.c
kernel/ptrace.c
+13
-0
kernel/seccomp.c
kernel/seccomp.c
+12
-5
未找到文件。
include/linux/ptrace.h
浏览文件 @
fe6c59dc
...
...
@@ -34,6 +34,7 @@
#define PT_TRACE_SECCOMP PT_EVENT_FLAG(PTRACE_EVENT_SECCOMP)
#define PT_EXITKILL (PTRACE_O_EXITKILL << PT_OPT_FLAG_SHIFT)
#define PT_SUSPEND_SECCOMP (PTRACE_O_SUSPEND_SECCOMP << PT_OPT_FLAG_SHIFT)
/* single stepping state bits (used on ARM and PA-RISC) */
#define PT_SINGLESTEP_BIT 31
...
...
include/linux/seccomp.h
浏览文件 @
fe6c59dc
...
...
@@ -78,7 +78,7 @@ static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
static
inline
int
seccomp_mode
(
struct
seccomp
*
s
)
{
return
0
;
return
SECCOMP_MODE_DISABLED
;
}
#endif
/* CONFIG_SECCOMP */
...
...
include/uapi/linux/ptrace.h
浏览文件 @
fe6c59dc
...
...
@@ -89,9 +89,11 @@ struct ptrace_peeksiginfo_args {
#define PTRACE_O_TRACESECCOMP (1 << PTRACE_EVENT_SECCOMP)
/* eventless options */
#define PTRACE_O_EXITKILL (1 << 20)
#define PTRACE_O_EXITKILL (1 << 20)
#define PTRACE_O_SUSPEND_SECCOMP (1 << 21)
#define PTRACE_O_MASK (0x000000ff | PTRACE_O_EXITKILL)
#define PTRACE_O_MASK (\
0x000000ff | PTRACE_O_EXITKILL | PTRACE_O_SUSPEND_SECCOMP)
#include <asm/ptrace.h>
...
...
kernel/ptrace.c
浏览文件 @
fe6c59dc
...
...
@@ -556,6 +556,19 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
if
(
data
&
~
(
unsigned
long
)
PTRACE_O_MASK
)
return
-
EINVAL
;
if
(
unlikely
(
data
&
PTRACE_O_SUSPEND_SECCOMP
))
{
if
(
!
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
||
!
config_enabled
(
CONFIG_SECCOMP
))
return
-
EINVAL
;
if
(
!
capable
(
CAP_SYS_ADMIN
))
return
-
EPERM
;
if
(
seccomp_mode
(
&
current
->
seccomp
)
!=
SECCOMP_MODE_DISABLED
||
current
->
ptrace
&
PT_SUSPEND_SECCOMP
)
return
-
EPERM
;
}
/* Avoid intermediate state when all opts are cleared */
flags
=
child
->
ptrace
;
flags
&=
~
(
PTRACE_O_MASK
<<
PT_OPT_FLAG_SHIFT
);
...
...
kernel/seccomp.c
浏览文件 @
fe6c59dc
...
...
@@ -175,17 +175,16 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
*/
static
u32
seccomp_run_filters
(
struct
seccomp_data
*
sd
)
{
struct
seccomp_filter
*
f
=
ACCESS_ONCE
(
current
->
seccomp
.
filter
);
struct
seccomp_data
sd_local
;
u32
ret
=
SECCOMP_RET_ALLOW
;
/* Make sure cross-thread synced filter points somewhere sane. */
struct
seccomp_filter
*
f
=
lockless_dereference
(
current
->
seccomp
.
filter
);
/* Ensure unexpected behavior doesn't result in failing open. */
if
(
unlikely
(
WARN_ON
(
f
==
NULL
)))
return
SECCOMP_RET_KILL
;
/* Make sure cross-thread synced filter points somewhere sane. */
smp_read_barrier_depends
();
if
(
!
sd
)
{
populate_seccomp_data
(
&
sd_local
);
sd
=
&
sd_local
;
...
...
@@ -549,7 +548,11 @@ void secure_computing_strict(int this_syscall)
{
int
mode
=
current
->
seccomp
.
mode
;
if
(
mode
==
0
)
if
(
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
&&
unlikely
(
current
->
ptrace
&
PT_SUSPEND_SECCOMP
))
return
;
if
(
mode
==
SECCOMP_MODE_DISABLED
)
return
;
else
if
(
mode
==
SECCOMP_MODE_STRICT
)
__secure_computing_strict
(
this_syscall
);
...
...
@@ -650,6 +653,10 @@ u32 seccomp_phase1(struct seccomp_data *sd)
int
this_syscall
=
sd
?
sd
->
nr
:
syscall_get_nr
(
current
,
task_pt_regs
(
current
));
if
(
config_enabled
(
CONFIG_CHECKPOINT_RESTORE
)
&&
unlikely
(
current
->
ptrace
&
PT_SUSPEND_SECCOMP
))
return
SECCOMP_PHASE1_OK
;
switch
(
mode
)
{
case
SECCOMP_MODE_STRICT
:
__secure_computing_strict
(
this_syscall
);
/* may call do_exit */
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录