aboutsummaryrefslogtreecommitdiffstats
path: root/features/seccomp/seccomp-remove-duplicated-failure-logging.patch
diff options
context:
space:
mode:
Diffstat (limited to 'features/seccomp/seccomp-remove-duplicated-failure-logging.patch')
-rw-r--r--features/seccomp/seccomp-remove-duplicated-failure-logging.patch135
1 files changed, 135 insertions, 0 deletions
diff --git a/features/seccomp/seccomp-remove-duplicated-failure-logging.patch b/features/seccomp/seccomp-remove-duplicated-failure-logging.patch
new file mode 100644
index 00000000..ed1e662b
--- /dev/null
+++ b/features/seccomp/seccomp-remove-duplicated-failure-logging.patch
@@ -0,0 +1,135 @@
+From 60ec12b5d1111e19e716ee5029296dc0550fad11 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 12 Apr 2012 16:47:58 -0500
+Subject: [PATCH] seccomp: remove duplicated failure logging
+
+commit 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe upstream.
+
+This consolidates the seccomp filter error logging path and adds more
+details to the audit log.
+
+Signed-off-by: Will Drewry <wad@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Eric Paris <eparis@redhat.com>
+
+v18: make compat= permanent in the record
+v15: added a return code to the audit_seccomp path by wad@chromium.org
+ (suggested by eparis@redhat.com)
+v*: original by keescook@chromium.org
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+---
+ include/linux/audit.h | 8 ++++----
+ kernel/auditsc.c | 8 ++++++--
+ kernel/seccomp.c | 15 +--------------
+ 3 files changed, 11 insertions(+), 20 deletions(-)
+
+diff --git a/include/linux/audit.h b/include/linux/audit.h
+index ed3ef19..22f292a 100644
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -463,7 +463,7 @@ extern void audit_putname(const char *name);
+ extern void __audit_inode(const char *name, const struct dentry *dentry);
+ extern void __audit_inode_child(const struct dentry *dentry,
+ const struct inode *parent);
+-extern void __audit_seccomp(unsigned long syscall);
++extern void __audit_seccomp(unsigned long syscall, long signr, int code);
+ extern void __audit_ptrace(struct task_struct *t);
+
+ static inline int audit_dummy_context(void)
+@@ -508,10 +508,10 @@ static inline void audit_inode_child(const struct dentry *dentry,
+ }
+ void audit_core_dumps(long signr);
+
+-static inline void audit_seccomp(unsigned long syscall)
++static inline void audit_seccomp(unsigned long syscall, long signr, int code)
+ {
+ if (unlikely(!audit_dummy_context()))
+- __audit_seccomp(syscall);
++ __audit_seccomp(syscall, signr, code);
+ }
+
+ static inline void audit_ptrace(struct task_struct *t)
+@@ -634,7 +634,7 @@ extern int audit_signals;
+ #define audit_inode(n,d) do { (void)(d); } while (0)
+ #define audit_inode_child(i,p) do { ; } while (0)
+ #define audit_core_dumps(i) do { ; } while (0)
+-#define audit_seccomp(i) do { ; } while (0)
++#define audit_seccomp(i,s,c) do { ; } while (0)
+ #define auditsc_get_stamp(c,t,s) (0)
+ #define audit_get_loginuid(t) (-1)
+ #define audit_get_sessionid(t) (-1)
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index af1de0f..4b96415 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -67,6 +67,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/capability.h>
+ #include <linux/fs_struct.h>
++#include <linux/compat.h>
+
+ #include "audit.h"
+
+@@ -2710,13 +2711,16 @@ void audit_core_dumps(long signr)
+ audit_log_end(ab);
+ }
+
+-void __audit_seccomp(unsigned long syscall)
++void __audit_seccomp(unsigned long syscall, long signr, int code)
+ {
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+- audit_log_abend(ab, "seccomp", SIGKILL);
++ audit_log_abend(ab, "seccomp", signr);
+ audit_log_format(ab, " syscall=%ld", syscall);
++ audit_log_format(ab, " compat=%d", is_compat_task());
++ audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
++ audit_log_format(ab, " code=0x%x", code);
+ audit_log_end(ab);
+ }
+
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 0aeec19..0f7c709 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -60,18 +60,6 @@ struct seccomp_filter {
+ /* Limit any path through the tree to 256KB worth of instructions. */
+ #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
+
+-static void seccomp_filter_log_failure(int syscall)
+-{
+- int compat = 0;
+-#ifdef CONFIG_COMPAT
+- compat = is_compat_task();
+-#endif
+- pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n",
+- current->comm, task_pid_nr(current),
+- (compat ? "compat " : ""),
+- syscall, KSTK_EIP(current));
+-}
+-
+ /**
+ * get_u32 - returns a u32 offset into data
+ * @data: a unsigned 64 bit value
+@@ -381,7 +369,6 @@ void __secure_computing(int this_syscall)
+ case SECCOMP_MODE_FILTER:
+ if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)
+ return;
+- seccomp_filter_log_failure(this_syscall);
+ exit_sig = SIGSYS;
+ break;
+ #endif
+@@ -392,7 +379,7 @@ void __secure_computing(int this_syscall)
+ #ifdef SECCOMP_DEBUG
+ dump_stack();
+ #endif
+- audit_seccomp(this_syscall);
++ audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL);
+ do_exit(exit_sig);
+ }
+
+--
+1.7.9.1
+