Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
ea9c102c
Commit
ea9c102c
authored
May 08, 2005
by
David Woodhouse
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add CONFIG_AUDITSC and CONFIG_SECCOMP support for ppc32
Signed-off-by:
David Woodhouse
<
dwmw2@infradead.org
>
parent
13e65280
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
70 additions
and
14 deletions
+70
-14
arch/ppc/Kconfig
arch/ppc/Kconfig
+17
-0
arch/ppc/kernel/entry.S
arch/ppc/kernel/entry.S
+9
-7
arch/ppc/kernel/ppc_ksyms.c
arch/ppc/kernel/ppc_ksyms.c
+0
-2
arch/ppc/kernel/ptrace.c
arch/ppc/kernel/ptrace.c
+36
-4
include/asm-ppc/thread_info.h
include/asm-ppc/thread_info.h
+7
-0
init/Kconfig
init/Kconfig
+1
-1
No files found.
arch/ppc/Kconfig
View file @
ea9c102c
...
@@ -1083,6 +1083,23 @@ source "drivers/zorro/Kconfig"
...
@@ -1083,6 +1083,23 @@ source "drivers/zorro/Kconfig"
source kernel/power/Kconfig
source kernel/power/Kconfig
config SECCOMP
bool "Enable seccomp to safely compute untrusted bytecode"
depends on PROC_FS
default y
help
This kernel feature is useful for number crunching applications
that may need to compute untrusted bytecode during their
execution. By using pipes or other transports made available to
the process as file descriptors supporting the read/write
syscalls, it's possible to isolate those applications in
their own address space using seccomp. Once seccomp is
enabled via /proc/<pid>/seccomp, it cannot be disabled
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
If unsure, say Y. Only embedded should say N here.
endmenu
endmenu
config ISA_DMA_API
config ISA_DMA_API
...
...
arch/ppc/kernel/entry.S
View file @
ea9c102c
...
@@ -202,7 +202,7 @@ _GLOBAL(DoSyscall)
...
@@ -202,7 +202,7 @@ _GLOBAL(DoSyscall)
rlwinm
r11
,
r11
,
0
,
~
_TIFL_FORCE_NOERROR
rlwinm
r11
,
r11
,
0
,
~
_TIFL_FORCE_NOERROR
stw
r11
,
TI_LOCAL_FLAGS
(
r10
)
stw
r11
,
TI_LOCAL_FLAGS
(
r10
)
lwz
r11
,
TI_FLAGS
(
r10
)
lwz
r11
,
TI_FLAGS
(
r10
)
andi
.
r11
,
r11
,
_TIF_SYSCALL_T
RACE
andi
.
r11
,
r11
,
_TIF_SYSCALL_T
_OR_A
bne
-
syscall_dotrace
bne
-
syscall_dotrace
syscall_dotrace_cont
:
syscall_dotrace_cont
:
cmplwi
0
,
r0
,
NR_syscalls
cmplwi
0
,
r0
,
NR_syscalls
...
@@ -237,7 +237,7 @@ ret_from_syscall:
...
@@ -237,7 +237,7 @@ ret_from_syscall:
SYNC
SYNC
MTMSRD
(
r10
)
MTMSRD
(
r10
)
lwz
r9
,
TI_FLAGS
(
r12
)
lwz
r9
,
TI_FLAGS
(
r12
)
andi
.
r0
,
r9
,(
_TIF_SYSCALL_T
RACE
|_TIF_SIGPENDING|_TIF_NEED_RESCHED
)
andi
.
r0
,
r9
,(
_TIF_SYSCALL_T
_OR_A
|_TIF_SIGPENDING|_TIF_NEED_RESCHED
)
bne
-
syscall_exit_work
bne
-
syscall_exit_work
syscall_exit_cont
:
syscall_exit_cont
:
#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
...
@@ -277,7 +277,8 @@ syscall_dotrace:
...
@@ -277,7 +277,8 @@ syscall_dotrace:
SAVE_NVGPRS
(
r1
)
SAVE_NVGPRS
(
r1
)
li
r0
,
0xc00
li
r0
,
0xc00
stw
r0
,
TRAP
(
r1
)
stw
r0
,
TRAP
(
r1
)
bl
do_syscall_trace
addi
r3
,
r1
,
STACK_FRAME_OVERHEAD
bl
do_syscall_trace_enter
lwz
r0
,
GPR0
(
r1
)
/*
Restore
original
registers
*/
lwz
r0
,
GPR0
(
r1
)
/*
Restore
original
registers
*/
lwz
r3
,
GPR3
(
r1
)
lwz
r3
,
GPR3
(
r1
)
lwz
r4
,
GPR4
(
r1
)
lwz
r4
,
GPR4
(
r1
)
...
@@ -291,7 +292,7 @@ syscall_dotrace:
...
@@ -291,7 +292,7 @@ syscall_dotrace:
syscall_exit_work
:
syscall_exit_work
:
stw
r6
,
RESULT
(
r1
)
/*
Save
result
*/
stw
r6
,
RESULT
(
r1
)
/*
Save
result
*/
stw
r3
,
GPR3
(
r1
)
/*
Update
return
value
*/
stw
r3
,
GPR3
(
r1
)
/*
Update
return
value
*/
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
RACE
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
_OR_A
beq
5
f
beq
5
f
ori
r10
,
r10
,
MSR_EE
ori
r10
,
r10
,
MSR_EE
SYNC
SYNC
...
@@ -303,7 +304,8 @@ syscall_exit_work:
...
@@ -303,7 +304,8 @@ syscall_exit_work:
li
r4
,
0xc00
li
r4
,
0xc00
stw
r4
,
TRAP
(
r1
)
stw
r4
,
TRAP
(
r1
)
4
:
4
:
bl
do_syscall_trace
addi
r3
,
r1
,
STACK_FRAME_OVERHEAD
bl
do_syscall_trace_leave
REST_NVGPRS
(
r1
)
REST_NVGPRS
(
r1
)
2
:
2
:
lwz
r3
,
GPR3
(
r1
)
lwz
r3
,
GPR3
(
r1
)
...
@@ -627,8 +629,8 @@ sigreturn_exit:
...
@@ -627,8 +629,8 @@ sigreturn_exit:
subi
r1
,
r3
,
STACK_FRAME_OVERHEAD
subi
r1
,
r3
,
STACK_FRAME_OVERHEAD
rlwinm
r12
,
r1
,
0
,
0
,
18
/*
current_thread_info
()
*/
rlwinm
r12
,
r1
,
0
,
0
,
18
/*
current_thread_info
()
*/
lwz
r9
,
TI_FLAGS
(
r12
)
lwz
r9
,
TI_FLAGS
(
r12
)
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
RACE
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
_OR_A
bnel
-
do_syscall_trace
bnel
-
do_syscall_trace
_leave
/
*
fall
through
*/
/
*
fall
through
*/
.
globl
ret_from_except_full
.
globl
ret_from_except_full
...
...
arch/ppc/kernel/ppc_ksyms.c
View file @
ea9c102c
...
@@ -55,7 +55,6 @@
...
@@ -55,7 +55,6 @@
#define EXPORT_SYMTAB_STROPS
#define EXPORT_SYMTAB_STROPS
extern
void
transfer_to_handler
(
void
);
extern
void
transfer_to_handler
(
void
);
extern
void
do_syscall_trace
(
void
);
extern
void
do_IRQ
(
struct
pt_regs
*
regs
);
extern
void
do_IRQ
(
struct
pt_regs
*
regs
);
extern
void
MachineCheckException
(
struct
pt_regs
*
regs
);
extern
void
MachineCheckException
(
struct
pt_regs
*
regs
);
extern
void
AlignmentException
(
struct
pt_regs
*
regs
);
extern
void
AlignmentException
(
struct
pt_regs
*
regs
);
...
@@ -74,7 +73,6 @@ extern unsigned long mm_ptov (unsigned long paddr);
...
@@ -74,7 +73,6 @@ extern unsigned long mm_ptov (unsigned long paddr);
EXPORT_SYMBOL
(
clear_pages
);
EXPORT_SYMBOL
(
clear_pages
);
EXPORT_SYMBOL
(
clear_user_page
);
EXPORT_SYMBOL
(
clear_user_page
);
EXPORT_SYMBOL
(
do_signal
);
EXPORT_SYMBOL
(
do_signal
);
EXPORT_SYMBOL
(
do_syscall_trace
);
EXPORT_SYMBOL
(
transfer_to_handler
);
EXPORT_SYMBOL
(
transfer_to_handler
);
EXPORT_SYMBOL
(
do_IRQ
);
EXPORT_SYMBOL
(
do_IRQ
);
EXPORT_SYMBOL
(
MachineCheckException
);
EXPORT_SYMBOL
(
MachineCheckException
);
...
...
arch/ppc/kernel/ptrace.c
View file @
ea9c102c
...
@@ -27,6 +27,9 @@
...
@@ -27,6 +27,9 @@
#include <linux/user.h>
#include <linux/user.h>
#include <linux/security.h>
#include <linux/security.h>
#include <linux/signal.h>
#include <linux/signal.h>
#include <linux/seccomp.h>
#include <linux/audit.h>
#include <linux/module.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
#include <asm/page.h>
#include <asm/page.h>
...
@@ -455,11 +458,10 @@ int sys_ptrace(long request, long pid, long addr, long data)
...
@@ -455,11 +458,10 @@ int sys_ptrace(long request, long pid, long addr, long data)
return
ret
;
return
ret
;
}
}
void
do_syscall_trace
(
void
)
static
void
do_syscall_trace
(
void
)
{
{
if
(
!
test_thread_flag
(
TIF_SYSCALL_TRACE
)
/* the 0x80 provides a way for the tracing parent to distinguish
||
!
(
current
->
ptrace
&
PT_PTRACED
))
between a syscall stop and SIGTRAP delivery */
return
;
ptrace_notify
(
SIGTRAP
|
((
current
->
ptrace
&
PT_TRACESYSGOOD
)
ptrace_notify
(
SIGTRAP
|
((
current
->
ptrace
&
PT_TRACESYSGOOD
)
?
0x80
:
0
));
?
0x80
:
0
));
...
@@ -473,3 +475,33 @@ void do_syscall_trace(void)
...
@@ -473,3 +475,33 @@ void do_syscall_trace(void)
current
->
exit_code
=
0
;
current
->
exit_code
=
0
;
}
}
}
}
void
do_syscall_trace_enter
(
struct
pt_regs
*
regs
)
{
if
(
test_thread_flag
(
TIF_SYSCALL_TRACE
)
&&
(
current
->
ptrace
&
PT_PTRACED
))
do_syscall_trace
();
if
(
unlikely
(
current
->
audit_context
))
audit_syscall_entry
(
current
,
AUDIT_ARCH_PPC
,
regs
->
gpr
[
0
],
regs
->
gpr
[
3
],
regs
->
gpr
[
4
],
regs
->
gpr
[
5
],
regs
->
gpr
[
6
]);
}
void
do_syscall_trace_leave
(
struct
pt_regs
*
regs
)
{
secure_computing
(
regs
->
gpr
[
0
]);
if
(
unlikely
(
current
->
audit_context
))
audit_syscall_exit
(
current
,
(
regs
->
ccr
&
0x1000
)
?
AUDITSC_FAILURE
:
AUDITSC_SUCCESS
,
regs
->
result
);
if
((
test_thread_flag
(
TIF_SYSCALL_TRACE
))
&&
(
current
->
ptrace
&
PT_PTRACED
))
do_syscall_trace
();
}
EXPORT_SYMBOL
(
do_syscall_trace_enter
);
EXPORT_SYMBOL
(
do_syscall_trace_leave
);
include/asm-ppc/thread_info.h
View file @
ea9c102c
...
@@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void)
...
@@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_POLLING_NRFLAG 4
/* true if poll_idle() is polling
#define TIF_POLLING_NRFLAG 4
/* true if poll_idle() is polling
TIF_NEED_RESCHED */
TIF_NEED_RESCHED */
#define TIF_MEMDIE 5
#define TIF_MEMDIE 5
#define TIF_SYSCALL_AUDIT 6
/* syscall auditing active */
#define TIF_SECCOMP 7
/* secure computing */
/* as above, but as bit values */
/* as above, but as bit values */
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
/*
/*
* Non racy (local) flags bit numbers
* Non racy (local) flags bit numbers
...
...
init/Kconfig
View file @
ea9c102c
...
@@ -173,7 +173,7 @@ config AUDIT
...
@@ -173,7 +173,7 @@ config AUDIT
config AUDITSYSCALL
config AUDITSYSCALL
bool "Enable system-call auditing support"
bool "Enable system-call auditing support"
depends on AUDIT && (X86 || PPC64 || ARCH_S390 || IA64 || UML)
depends on AUDIT && (X86 || PPC
|| PPC
64 || ARCH_S390 || IA64 || UML)
default y if SECURITY_SELINUX
default y if SECURITY_SELINUX
help
help
Enable low-overhead system-call auditing infrastructure that
Enable low-overhead system-call auditing infrastructure that
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment