Merge tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull seccomp updates from Kees Cook: "Mostly this is implementing the new flag SECCOMP_USER_NOTIF_FLAG_CONTINUE, but there are cleanups as well. - implement SECCOMP_USER_NOTIF_FLAG_CONTINUE (Christian Brauner) - fixes to selftests (Christian Brauner) - remove secure_computing() argument (Christian Brauner)" * tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test seccomp: simplify secure_computing() seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: avoid overflow in implicit constant conversion
This commit is contained in:
@@ -76,6 +76,35 @@ struct seccomp_notif {
|
||||
struct seccomp_data data;
|
||||
};
|
||||
|
||||
/*
|
||||
* Valid flags for struct seccomp_notif_resp
|
||||
*
|
||||
* Note, the SECCOMP_USER_NOTIF_FLAG_CONTINUE flag must be used with caution!
|
||||
* If set by the process supervising the syscalls of another process the
|
||||
* syscall will continue. This is problematic because of an inherent TOCTOU.
|
||||
* An attacker can exploit the time while the supervised process is waiting on
|
||||
* a response from the supervising process to rewrite syscall arguments which
|
||||
* are passed as pointers of the intercepted syscall.
|
||||
* It should be absolutely clear that this means that the seccomp notifier
|
||||
* _cannot_ be used to implement a security policy! It should only ever be used
|
||||
* in scenarios where a more privileged process supervises the syscalls of a
|
||||
* lesser privileged process to get around kernel-enforced security
|
||||
* restrictions when the privileged process deems this safe. In other words,
|
||||
* in order to continue a syscall the supervising process should be sure that
|
||||
* another security mechanism or the kernel itself will sufficiently block
|
||||
* syscalls if arguments are rewritten to something unsafe.
|
||||
*
|
||||
* Similar precautions should be applied when stacking SECCOMP_RET_USER_NOTIF
|
||||
* or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on the
|
||||
* same syscall, the most recently added filter takes precedence. This means
|
||||
* that the new SECCOMP_RET_USER_NOTIF filter can override any
|
||||
* SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing all
|
||||
* such filtered syscalls to be executed by sending the response
|
||||
* SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can equally
|
||||
* be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE.
|
||||
*/
|
||||
#define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0)
|
||||
|
||||
struct seccomp_notif_resp {
|
||||
__u64 id;
|
||||
__s64 val;
|
||||
|
||||
Reference in New Issue
Block a user