diff options
Diffstat (limited to 'features/seccomp/seccomp-remove-duplicated-failure-logging.patch')
-rw-r--r-- | features/seccomp/seccomp-remove-duplicated-failure-logging.patch | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/features/seccomp/seccomp-remove-duplicated-failure-logging.patch b/features/seccomp/seccomp-remove-duplicated-failure-logging.patch new file mode 100644 index 00000000..ed1e662b --- /dev/null +++ b/features/seccomp/seccomp-remove-duplicated-failure-logging.patch @@ -0,0 +1,135 @@ +From 60ec12b5d1111e19e716ee5029296dc0550fad11 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Thu, 12 Apr 2012 16:47:58 -0500 +Subject: [PATCH] seccomp: remove duplicated failure logging + +commit 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe upstream. + +This consolidates the seccomp filter error logging path and adds more +details to the audit log. + +Signed-off-by: Will Drewry <wad@chromium.org> +Signed-off-by: Kees Cook <keescook@chromium.org> +Acked-by: Eric Paris <eparis@redhat.com> + +v18: make compat= permanent in the record +v15: added a return code to the audit_seccomp path by wad@chromium.org + (suggested by eparis@redhat.com) +v*: original by keescook@chromium.org +Signed-off-by: James Morris <james.l.morris@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + include/linux/audit.h | 8 ++++---- + kernel/auditsc.c | 8 ++++++-- + kernel/seccomp.c | 15 +-------------- + 3 files changed, 11 insertions(+), 20 deletions(-) + +diff --git a/include/linux/audit.h b/include/linux/audit.h +index ed3ef19..22f292a 100644 +--- a/include/linux/audit.h ++++ b/include/linux/audit.h +@@ -463,7 +463,7 @@ extern void audit_putname(const char *name); + extern void __audit_inode(const char *name, const struct dentry *dentry); + extern void __audit_inode_child(const struct dentry *dentry, + const struct inode *parent); +-extern void __audit_seccomp(unsigned long syscall); ++extern void __audit_seccomp(unsigned long syscall, long signr, int code); + extern void __audit_ptrace(struct task_struct *t); + + static inline int audit_dummy_context(void) +@@ -508,10 +508,10 @@ static inline void audit_inode_child(const struct dentry *dentry, + } + void audit_core_dumps(long signr); + +-static inline void audit_seccomp(unsigned long syscall) ++static inline void audit_seccomp(unsigned long syscall, long signr, int code) + { + if (unlikely(!audit_dummy_context())) +- __audit_seccomp(syscall); ++ __audit_seccomp(syscall, signr, code); + } + + static inline void audit_ptrace(struct task_struct *t) +@@ -634,7 +634,7 @@ extern int audit_signals; + #define audit_inode(n,d) do { (void)(d); } while (0) + #define audit_inode_child(i,p) do { ; } while (0) + #define audit_core_dumps(i) do { ; } while (0) +-#define audit_seccomp(i) do { ; } while (0) ++#define audit_seccomp(i,s,c) do { ; } while (0) + #define auditsc_get_stamp(c,t,s) (0) + #define audit_get_loginuid(t) (-1) + #define audit_get_sessionid(t) (-1) +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index af1de0f..4b96415 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -67,6 +67,7 @@ + #include <linux/syscalls.h> + #include <linux/capability.h> + #include <linux/fs_struct.h> ++#include <linux/compat.h> + + #include "audit.h" + +@@ -2710,13 +2711,16 @@ void audit_core_dumps(long signr) + audit_log_end(ab); + } + +-void __audit_seccomp(unsigned long syscall) ++void __audit_seccomp(unsigned long syscall, long signr, int code) + { + struct audit_buffer *ab; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); +- audit_log_abend(ab, "seccomp", SIGKILL); ++ audit_log_abend(ab, "seccomp", signr); + audit_log_format(ab, " syscall=%ld", syscall); ++ audit_log_format(ab, " compat=%d", is_compat_task()); ++ audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); ++ audit_log_format(ab, " code=0x%x", code); + audit_log_end(ab); + } + +diff --git a/kernel/seccomp.c b/kernel/seccomp.c +index 0aeec19..0f7c709 100644 +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -60,18 +60,6 @@ struct seccomp_filter { + /* Limit any path through the tree to 256KB worth of instructions. */ + #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) + +-static void seccomp_filter_log_failure(int syscall) +-{ +- int compat = 0; +-#ifdef CONFIG_COMPAT +- compat = is_compat_task(); +-#endif +- pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", +- current->comm, task_pid_nr(current), +- (compat ? "compat " : ""), +- syscall, KSTK_EIP(current)); +-} +- + /** + * get_u32 - returns a u32 offset into data + * @data: a unsigned 64 bit value +@@ -381,7 +369,6 @@ void __secure_computing(int this_syscall) + case SECCOMP_MODE_FILTER: + if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW) + return; +- seccomp_filter_log_failure(this_syscall); + exit_sig = SIGSYS; + break; + #endif +@@ -392,7 +379,7 @@ void __secure_computing(int this_syscall) + #ifdef SECCOMP_DEBUG + dump_stack(); + #endif +- audit_seccomp(this_syscall); ++ audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL); + do_exit(exit_sig); + } + +-- +1.7.9.1 + |