-
由 Will Drewry 提交于
Enable support for seccomp filter on x86: - syscall_get_arch() - syscall_get_arguments() - syscall_rollback() - syscall_set_return_value() - SIGSYS siginfo_t support - secure_computing is called from a ptrace_event()-safe context - secure_computing return value is checked (see below). SECCOMP_RET_TRACE and SECCOMP_RET_TRAP may result in seccomp needing to skip a system call without killing the process. This is done by returning a non-zero (-1) value from secure_computing. This change makes x86 respect that return value. To ensure that minimal kernel code is exposed, a non-zero return value results in an immediate return to user space (with an invalid syscall number). Signed-off-by: NWill Drewry <wad@chromium.org> Reviewed-by: NH. Peter Anvin <hpa@zytor.com> Acked-by: NEric Paris <eparis@redhat.com> Reviewed-by: NKees Cook <keescook@chromium.org> v18: rebase and tweaked change description, acked-by v17: added reviewed by and rebased v..: all rebases since original introduction. Signed-off-by: NJames Morris <james.l.morris@oracle.com>
c6cfbeb4