2008-02-02 20:10:33 +00:00
|
|
|
#
|
|
|
|
# General architecture dependent options
|
|
|
|
#
|
2008-02-02 20:10:36 +00:00
|
|
|
|
|
|
|
config OPROFILE
|
2010-02-26 14:01:23 +00:00
|
|
|
tristate "OProfile system profiling"
|
2008-02-02 20:10:36 +00:00
|
|
|
depends on PROFILING
|
|
|
|
depends on HAVE_OPROFILE
|
2008-12-12 08:38:57 +00:00
|
|
|
select RING_BUFFER
|
2009-09-16 19:56:49 +00:00
|
|
|
select RING_BUFFER_ALLOW_SWAP
|
2008-02-02 20:10:36 +00:00
|
|
|
help
|
|
|
|
OProfile is a profiling system capable of profiling the
|
|
|
|
whole system, include the kernel, kernel modules, libraries,
|
|
|
|
and applications.
|
|
|
|
|
|
|
|
If unsure, say N.
|
|
|
|
|
2009-07-08 11:49:38 +00:00
|
|
|
config OPROFILE_EVENT_MULTIPLEX
|
|
|
|
bool "OProfile multiplexing support (EXPERIMENTAL)"
|
|
|
|
default n
|
|
|
|
depends on OPROFILE && X86
|
|
|
|
help
|
|
|
|
The number of hardware counters is limited. The multiplexing
|
|
|
|
feature enables OProfile to gather more events than counters
|
|
|
|
are provided by the hardware. This is realized by switching
|
|
|
|
between events at an user specified time interval.
|
|
|
|
|
|
|
|
If unsure, say N.
|
|
|
|
|
2008-02-02 20:10:36 +00:00
|
|
|
config HAVE_OPROFILE
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-02-02 20:10:36 +00:00
|
|
|
|
2011-10-11 15:11:08 +00:00
|
|
|
config OPROFILE_NMI_TIMER
|
|
|
|
def_bool y
|
|
|
|
depends on PERF_EVENTS && HAVE_PERF_EVENTS_NMI
|
|
|
|
|
2008-02-02 20:10:36 +00:00
|
|
|
config KPROBES
|
|
|
|
bool "Kprobes"
|
2010-09-13 10:25:41 +00:00
|
|
|
depends on MODULES
|
2008-02-02 20:10:36 +00:00
|
|
|
depends on HAVE_KPROBES
|
2010-09-13 10:25:41 +00:00
|
|
|
select KALLSYMS
|
2008-02-02 20:10:36 +00:00
|
|
|
help
|
|
|
|
Kprobes allows you to trap at almost any kernel address and
|
|
|
|
execute a callback function. register_kprobe() establishes
|
|
|
|
a probepoint and specifies the callback. Kprobes is useful
|
|
|
|
for kernel debugging, non-intrusive instrumentation and testing.
|
|
|
|
If in doubt, say "N".
|
|
|
|
|
2010-10-29 16:33:43 +00:00
|
|
|
config JUMP_LABEL
|
2012-02-24 07:31:31 +00:00
|
|
|
bool "Optimize very unlikely/likely branches"
|
2010-10-29 16:33:43 +00:00
|
|
|
depends on HAVE_ARCH_JUMP_LABEL
|
|
|
|
help
|
2012-02-24 07:31:31 +00:00
|
|
|
This option enables a transparent branch optimization that
|
|
|
|
makes certain almost-always-true or almost-always-false branch
|
|
|
|
conditions even cheaper to execute within the kernel.
|
|
|
|
|
|
|
|
Certain performance-sensitive kernel code, such as trace points,
|
|
|
|
scheduler functionality, networking code and KVM have such
|
|
|
|
branches and include support for this optimization technique.
|
|
|
|
|
2010-10-29 16:33:43 +00:00
|
|
|
If it is detected that the compiler has support for "asm goto",
|
2012-02-24 07:31:31 +00:00
|
|
|
the kernel will compile such branches with just a nop
|
|
|
|
instruction. When the condition flag is toggled to true, the
|
|
|
|
nop will be converted to a jump instruction to execute the
|
|
|
|
conditional block of instructions.
|
|
|
|
|
|
|
|
This technique lowers overhead and stress on the branch prediction
|
|
|
|
of the processor and generally makes the kernel faster. The update
|
|
|
|
of the condition is slower, but those are always very rare.
|
2010-10-29 16:33:43 +00:00
|
|
|
|
2012-02-24 07:31:31 +00:00
|
|
|
( On 32-bit x86, the necessary options added to the compiler
|
|
|
|
flags may increase the size of the kernel slightly. )
|
2010-10-29 16:33:43 +00:00
|
|
|
|
2010-02-25 13:34:07 +00:00
|
|
|
config OPTPROBES
|
2010-03-15 17:00:54 +00:00
|
|
|
def_bool y
|
|
|
|
depends on KPROBES && HAVE_OPTPROBES
|
2010-02-25 13:34:07 +00:00
|
|
|
depends on !PREEMPT
|
|
|
|
|
2008-07-25 08:45:33 +00:00
|
|
|
config HAVE_EFFICIENT_UNALIGNED_ACCESS
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-07-25 08:45:33 +00:00
|
|
|
help
|
|
|
|
Some architectures are unable to perform unaligned accesses
|
|
|
|
without the use of get_unaligned/put_unaligned. Others are
|
|
|
|
unable to perform such accesses efficiently (e.g. trap on
|
|
|
|
unaligned access and require fixing it up in the exception
|
|
|
|
handler.)
|
|
|
|
|
|
|
|
This symbol should be selected by an architecture if it can
|
|
|
|
perform unaligned accesses efficiently to allow different
|
|
|
|
code paths to be selected for these cases. Some network
|
|
|
|
drivers, for example, could opt to not fix up alignment
|
|
|
|
problems with received packets if doing so would not help
|
|
|
|
much.
|
|
|
|
|
|
|
|
See Documentation/unaligned-memory-access.txt for more
|
|
|
|
information on the topic of unaligned memory accesses.
|
|
|
|
|
2009-01-14 13:13:59 +00:00
|
|
|
config HAVE_SYSCALL_WRAPPERS
|
|
|
|
bool
|
|
|
|
|
2008-03-04 22:28:37 +00:00
|
|
|
config KRETPROBES
|
|
|
|
def_bool y
|
|
|
|
depends on KPROBES && HAVE_KRETPROBES
|
|
|
|
|
2009-09-19 06:40:22 +00:00
|
|
|
config USER_RETURN_NOTIFIER
|
|
|
|
bool
|
|
|
|
depends on HAVE_USER_RETURN_NOTIFIER
|
|
|
|
help
|
|
|
|
Provide a kernel-internal notification when a cpu is about to
|
|
|
|
switch to user mode.
|
|
|
|
|
2008-07-24 04:27:05 +00:00
|
|
|
config HAVE_IOREMAP_PROT
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-07-24 04:27:05 +00:00
|
|
|
|
2008-02-02 20:10:36 +00:00
|
|
|
config HAVE_KPROBES
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-03-04 22:28:37 +00:00
|
|
|
|
|
|
|
config HAVE_KRETPROBES
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-04-29 08:00:30 +00:00
|
|
|
|
2010-02-25 13:34:07 +00:00
|
|
|
config HAVE_OPTPROBES
|
|
|
|
bool
|
2012-03-23 22:01:51 +00:00
|
|
|
|
|
|
|
config HAVE_NMI_WATCHDOG
|
|
|
|
bool
|
2008-07-26 02:45:57 +00:00
|
|
|
#
|
|
|
|
# An arch should select this if it provides all these things:
|
|
|
|
#
|
|
|
|
# task_pt_regs() in asm/processor.h or asm/ptrace.h
|
|
|
|
# arch_has_single_step() if there is hardware single-step support
|
|
|
|
# arch_has_block_step() if there is hardware block-step support
|
|
|
|
# asm/syscall.h supplying asm-generic/syscall.h interface
|
|
|
|
# linux/regset.h user_regset interfaces
|
|
|
|
# CORE_DUMP_USE_REGSET #define'd in linux/elf.h
|
|
|
|
# TIF_SYSCALL_TRACE calls tracehook_report_syscall_{entry,exit}
|
|
|
|
# TIF_NOTIFY_RESUME calls tracehook_notify_resume()
|
|
|
|
# signal delivery calls tracehook_signal_handler()
|
|
|
|
#
|
|
|
|
config HAVE_ARCH_TRACEHOOK
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-07-26 02:45:57 +00:00
|
|
|
|
2008-04-29 08:00:30 +00:00
|
|
|
config HAVE_DMA_ATTRS
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-06-26 09:21:34 +00:00
|
|
|
|
2011-12-29 12:09:51 +00:00
|
|
|
config HAVE_DMA_CONTIGUOUS
|
|
|
|
bool
|
|
|
|
|
2008-06-26 09:21:34 +00:00
|
|
|
config USE_GENERIC_SMP_HELPERS
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-07-24 04:26:48 +00:00
|
|
|
|
2012-04-20 13:05:45 +00:00
|
|
|
config GENERIC_SMP_IDLE_THREAD
|
|
|
|
bool
|
|
|
|
|
2010-02-10 16:25:17 +00:00
|
|
|
config HAVE_REGS_AND_STACK_ACCESS_API
|
|
|
|
bool
|
2010-02-18 13:25:21 +00:00
|
|
|
help
|
|
|
|
This symbol should be selected by an architecure if it supports
|
|
|
|
the API needed to access registers and stack entries from pt_regs,
|
|
|
|
declared in asm/ptrace.h
|
|
|
|
For example the kprobes-based event tracer needs this API.
|
2010-02-10 16:25:17 +00:00
|
|
|
|
2008-07-24 04:26:48 +00:00
|
|
|
config HAVE_CLK
|
2008-10-16 05:01:38 +00:00
|
|
|
bool
|
2008-07-24 04:26:48 +00:00
|
|
|
help
|
|
|
|
The <linux/clk.h> calls support software clock gating and
|
|
|
|
thus are a key power management tool on many systems.
|
|
|
|
|
2009-01-09 11:14:24 +00:00
|
|
|
config HAVE_DMA_API_DEBUG
|
|
|
|
bool
|
2009-04-09 16:48:34 +00:00
|
|
|
|
2009-06-01 18:13:33 +00:00
|
|
|
config HAVE_HW_BREAKPOINT
|
|
|
|
bool
|
2009-12-17 00:33:54 +00:00
|
|
|
depends on PERF_EVENTS
|
2009-06-01 18:13:33 +00:00
|
|
|
|
2011-05-18 15:06:38 +00:00
|
|
|
config HAVE_HW_BRKPT_RESERVED_RW_ACCESS
|
|
|
|
bool
|
|
|
|
depends on HAVE_HW_BREAKPOINT
|
|
|
|
help
|
|
|
|
Some of the hardware might not have r/w access beyond a certain number
|
|
|
|
of breakpoint register access.
|
|
|
|
|
2010-04-11 16:55:56 +00:00
|
|
|
config HAVE_MIXED_BREAKPOINTS_REGS
|
|
|
|
bool
|
|
|
|
depends on HAVE_HW_BREAKPOINT
|
|
|
|
help
|
|
|
|
Depending on the arch implementation of hardware breakpoints,
|
|
|
|
some of them have separate registers for data and instruction
|
|
|
|
breakpoints addresses, others have mixed registers to store
|
|
|
|
them but define the access type in a control register.
|
|
|
|
Select this option if your arch implements breakpoints under the
|
|
|
|
latter fashion.
|
|
|
|
|
2009-09-19 06:40:22 +00:00
|
|
|
config HAVE_USER_RETURN_NOTIFIER
|
|
|
|
bool
|
2009-09-07 06:19:51 +00:00
|
|
|
|
2010-05-15 20:57:48 +00:00
|
|
|
config HAVE_PERF_EVENTS_NMI
|
|
|
|
bool
|
2010-05-15 21:15:20 +00:00
|
|
|
help
|
|
|
|
System hardware can generate an NMI using the perf event
|
|
|
|
subsystem. Also has support for calculating CPU cycle events
|
|
|
|
to determine how many clock cycles in a given period.
|
2010-05-15 20:57:48 +00:00
|
|
|
|
2010-09-17 15:09:00 +00:00
|
|
|
config HAVE_ARCH_JUMP_LABEL
|
|
|
|
bool
|
|
|
|
|
2010-11-22 14:47:36 +00:00
|
|
|
config HAVE_ARCH_MUTEX_CPU_RELAX
|
|
|
|
bool
|
|
|
|
|
2011-05-25 00:12:00 +00:00
|
|
|
config HAVE_RCU_TABLE_FREE
|
|
|
|
bool
|
|
|
|
|
2011-07-13 05:14:22 +00:00
|
|
|
config ARCH_HAVE_NMI_SAFE_CMPXCHG
|
|
|
|
bool
|
|
|
|
|
2012-01-13 01:17:27 +00:00
|
|
|
config HAVE_ALIGNED_STRUCT_PAGE
|
|
|
|
bool
|
|
|
|
help
|
|
|
|
This makes sure that struct pages are double word aligned and that
|
|
|
|
e.g. the SLUB allocator can perform double word atomic operations
|
|
|
|
on a struct page for better performance. However selecting this
|
|
|
|
might increase the size of a struct page by a word.
|
|
|
|
|
2012-01-13 01:17:30 +00:00
|
|
|
config HAVE_CMPXCHG_LOCAL
|
|
|
|
bool
|
|
|
|
|
2012-01-13 01:17:33 +00:00
|
|
|
config HAVE_CMPXCHG_DOUBLE
|
|
|
|
bool
|
|
|
|
|
[PATCH v3] ipc: provide generic compat versions of IPC syscalls
When using the "compat" APIs, architectures will generally want to
be able to make direct syscalls to msgsnd(), shmctl(), etc., and
in the kernel we would want them to be handled directly by
compat_sys_xxx() functions, as is true for other compat syscalls.
However, for historical reasons, several of the existing compat IPC
syscalls do not do this. semctl() expects a pointer to the fourth
argument, instead of the fourth argument itself. msgsnd(), msgrcv()
and shmat() expect arguments in different order.
This change adds an ARCH_WANT_OLD_COMPAT_IPC config option that can be
set to preserve this behavior for ports that use it (x86, sparc, powerpc,
s390, and mips). No actual semantics are changed for those architectures,
and there is only a minimal amount of code refactoring in ipc/compat.c.
Newer architectures like tile (and perhaps future architectures such
as arm64 and unicore64) should not select this option, and thus can
avoid having any IPC-specific code at all in their architecture-specific
compat layer. In the same vein, if this option is not selected, IPC_64
mode is assumed, since that's what the <asm-generic> headers expect.
The workaround code in "tile" for msgsnd() and msgrcv() is removed
with this change; it also fixes the bug that shmat() and semctl() were
not being properly handled.
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2012-03-15 17:13:38 +00:00
|
|
|
config ARCH_WANT_OLD_COMPAT_IPC
|
|
|
|
bool
|
|
|
|
|
seccomp: add system call filtering using BPF
[This patch depends on luto@mit.edu's no_new_privs patch:
https://lkml.org/lkml/2012/1/30/264
The whole series including Andrew's patches can be found here:
https://github.com/redpig/linux/tree/seccomp
Complete diff here:
https://github.com/redpig/linux/compare/1dc65fed...seccomp
]
This patch adds support for seccomp mode 2. Mode 2 introduces the
ability for unprivileged processes to install system call filtering
policy expressed in terms of a Berkeley Packet Filter (BPF) program.
This program will be evaluated in the kernel for each system call
the task makes and computes a result based on data in the format
of struct seccomp_data.
A filter program may be installed by calling:
struct sock_fprog fprog = { ... };
...
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog);
The return value of the filter program determines if the system call is
allowed to proceed or denied. If the first filter program installed
allows prctl(2) calls, then the above call may be made repeatedly
by a task to further reduce its access to the kernel. All attached
programs must be evaluated before a system call will be allowed to
proceed.
Filter programs will be inherited across fork/clone and execve.
However, if the task attaching the filter is unprivileged
(!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This
ensures that unprivileged tasks cannot attach filters that affect
privileged tasks (e.g., setuid binary).
There are a number of benefits to this approach. A few of which are
as follows:
- BPF has been exposed to userland for a long time
- BPF optimization (and JIT'ing) are well understood
- Userland already knows its ABI: system call numbers and desired
arguments
- No time-of-check-time-of-use vulnerable data accesses are possible.
- system call arguments are loaded on access only to minimize copying
required for system call policy decisions.
Mode 2 support is restricted to architectures that enable
HAVE_ARCH_SECCOMP_FILTER. In this patch, the primary dependency is on
syscall_get_arguments(). The full desired scope of this feature will
add a few minor additional requirements expressed later in this series.
Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be
the desired additional functionality.
No architectures are enabled in this patch.
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Reviewed-by: Indan Zupancic <indan@nul.nu>
Acked-by: Eric Paris <eparis@redhat.com>
v18: - rebase to v3.4-rc2
- s/chk/check/ (akpm@linux-foundation.org,jmorris@namei.org)
- allocate with GFP_KERNEL|__GFP_NOWARN (indan@nul.nu)
- add a comment for get_u32 regarding endianness (akpm@)
- fix other typos, style mistakes (akpm@)
- added acked-by
v17: - properly guard seccomp filter needed headers (leann@ubuntu.com)
- tighten return mask to 0x7fff0000
v16: - no change
v15: - add a 4 instr penalty when counting a path to account for seccomp_filter
size (indan@nul.nu)
- drop the max insns to 256KB (indan@nul.nu)
- return ENOMEM if the max insns limit has been hit (indan@nul.nu)
- move IP checks after args (indan@nul.nu)
- drop !user_filter check (indan@nul.nu)
- only allow explicit bpf codes (indan@nul.nu)
- exit_code -> exit_sig
v14: - put/get_seccomp_filter takes struct task_struct
(indan@nul.nu,keescook@chromium.org)
- adds seccomp_chk_filter and drops general bpf_run/chk_filter user
- add seccomp_bpf_load for use by net/core/filter.c
- lower max per-process/per-hierarchy: 1MB
- moved nnp/capability check prior to allocation
(all of the above: indan@nul.nu)
v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com)
- removed copy_seccomp (keescook@chromium.org,indan@nul.nu)
- reworded the prctl_set_seccomp comment (indan@nul.nu)
v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com)
- style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu)
- do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu)
- pare down Kconfig doc reference.
- extra comment clean up
v10: - seccomp_data has changed again to be more aesthetically pleasing
(hpa@zytor.com)
- calling convention is noted in a new u32 field using syscall_get_arch.
This allows for cross-calling convention tasks to use seccomp filters.
(hpa@zytor.com)
- lots of clean up (thanks, Indan!)
v9: - n/a
v8: - use bpf_chk_filter, bpf_run_filter. update load_fns
- Lots of fixes courtesy of indan@nul.nu:
-- fix up load behavior, compat fixups, and merge alloc code,
-- renamed pc and dropped __packed, use bool compat.
-- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch
dependencies
v7: (massive overhaul thanks to Indan, others)
- added CONFIG_HAVE_ARCH_SECCOMP_FILTER
- merged into seccomp.c
- minimal seccomp_filter.h
- no config option (part of seccomp)
- no new prctl
- doesn't break seccomp on systems without asm/syscall.h
(works but arg access always fails)
- dropped seccomp_init_task, extra free functions, ...
- dropped the no-asm/syscall.h code paths
- merges with network sk_run_filter and sk_chk_filter
v6: - fix memory leak on attach compat check failure
- require no_new_privs || CAP_SYS_ADMIN prior to filter
installation. (luto@mit.edu)
- s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com)
- cleaned up Kconfig (amwang@redhat.com)
- on block, note if the call was compat (so the # means something)
v5: - uses syscall_get_arguments
(indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org)
- uses union-based arg storage with hi/lo struct to
handle endianness. Compromises between the two alternate
proposals to minimize extra arg shuffling and account for
endianness assuming userspace uses offsetof().
(mcgrathr@chromium.org, indan@nul.nu)
- update Kconfig description
- add include/seccomp_filter.h and add its installation
- (naive) on-demand syscall argument loading
- drop seccomp_t (eparis@redhat.com)
v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS
- now uses current->no_new_privs
(luto@mit.edu,torvalds@linux-foundation.com)
- assign names to seccomp modes (rdunlap@xenotime.net)
- fix style issues (rdunlap@xenotime.net)
- reworded Kconfig entry (rdunlap@xenotime.net)
v3: - macros to inline (oleg@redhat.com)
- init_task behavior fixed (oleg@redhat.com)
- drop creator entry and extra NULL check (oleg@redhat.com)
- alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com)
- adds tentative use of "always_unprivileged" as per
torvalds@linux-foundation.org and luto@mit.edu
v2: - (patch 2 only)
2012-02-09 17:50:58 +00:00
|
|
|
config HAVE_ARCH_SECCOMP_FILTER
|
|
|
|
bool
|
|
|
|
help
|
2012-02-09 18:08:39 +00:00
|
|
|
An arch should select this symbol if it provides all of these things:
|
2012-02-09 18:01:37 +00:00
|
|
|
- syscall_get_arch()
|
|
|
|
- syscall_get_arguments()
|
|
|
|
- syscall_rollback()
|
|
|
|
- syscall_set_return_value()
|
2012-02-09 18:08:39 +00:00
|
|
|
- SIGSYS siginfo_t support
|
|
|
|
- secure_computing is called from a ptrace_event()-safe context
|
|
|
|
- secure_computing return value is checked and a return value of -1
|
|
|
|
results in the system call being skipped immediately.
|
2014-06-25 23:08:24 +00:00
|
|
|
- seccomp syscall wired up
|
seccomp: add system call filtering using BPF
[This patch depends on luto@mit.edu's no_new_privs patch:
https://lkml.org/lkml/2012/1/30/264
The whole series including Andrew's patches can be found here:
https://github.com/redpig/linux/tree/seccomp
Complete diff here:
https://github.com/redpig/linux/compare/1dc65fed...seccomp
]
This patch adds support for seccomp mode 2. Mode 2 introduces the
ability for unprivileged processes to install system call filtering
policy expressed in terms of a Berkeley Packet Filter (BPF) program.
This program will be evaluated in the kernel for each system call
the task makes and computes a result based on data in the format
of struct seccomp_data.
A filter program may be installed by calling:
struct sock_fprog fprog = { ... };
...
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog);
The return value of the filter program determines if the system call is
allowed to proceed or denied. If the first filter program installed
allows prctl(2) calls, then the above call may be made repeatedly
by a task to further reduce its access to the kernel. All attached
programs must be evaluated before a system call will be allowed to
proceed.
Filter programs will be inherited across fork/clone and execve.
However, if the task attaching the filter is unprivileged
(!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This
ensures that unprivileged tasks cannot attach filters that affect
privileged tasks (e.g., setuid binary).
There are a number of benefits to this approach. A few of which are
as follows:
- BPF has been exposed to userland for a long time
- BPF optimization (and JIT'ing) are well understood
- Userland already knows its ABI: system call numbers and desired
arguments
- No time-of-check-time-of-use vulnerable data accesses are possible.
- system call arguments are loaded on access only to minimize copying
required for system call policy decisions.
Mode 2 support is restricted to architectures that enable
HAVE_ARCH_SECCOMP_FILTER. In this patch, the primary dependency is on
syscall_get_arguments(). The full desired scope of this feature will
add a few minor additional requirements expressed later in this series.
Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be
the desired additional functionality.
No architectures are enabled in this patch.
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Reviewed-by: Indan Zupancic <indan@nul.nu>
Acked-by: Eric Paris <eparis@redhat.com>
v18: - rebase to v3.4-rc2
- s/chk/check/ (akpm@linux-foundation.org,jmorris@namei.org)
- allocate with GFP_KERNEL|__GFP_NOWARN (indan@nul.nu)
- add a comment for get_u32 regarding endianness (akpm@)
- fix other typos, style mistakes (akpm@)
- added acked-by
v17: - properly guard seccomp filter needed headers (leann@ubuntu.com)
- tighten return mask to 0x7fff0000
v16: - no change
v15: - add a 4 instr penalty when counting a path to account for seccomp_filter
size (indan@nul.nu)
- drop the max insns to 256KB (indan@nul.nu)
- return ENOMEM if the max insns limit has been hit (indan@nul.nu)
- move IP checks after args (indan@nul.nu)
- drop !user_filter check (indan@nul.nu)
- only allow explicit bpf codes (indan@nul.nu)
- exit_code -> exit_sig
v14: - put/get_seccomp_filter takes struct task_struct
(indan@nul.nu,keescook@chromium.org)
- adds seccomp_chk_filter and drops general bpf_run/chk_filter user
- add seccomp_bpf_load for use by net/core/filter.c
- lower max per-process/per-hierarchy: 1MB
- moved nnp/capability check prior to allocation
(all of the above: indan@nul.nu)
v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com)
- removed copy_seccomp (keescook@chromium.org,indan@nul.nu)
- reworded the prctl_set_seccomp comment (indan@nul.nu)
v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com)
- style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu)
- do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu)
- pare down Kconfig doc reference.
- extra comment clean up
v10: - seccomp_data has changed again to be more aesthetically pleasing
(hpa@zytor.com)
- calling convention is noted in a new u32 field using syscall_get_arch.
This allows for cross-calling convention tasks to use seccomp filters.
(hpa@zytor.com)
- lots of clean up (thanks, Indan!)
v9: - n/a
v8: - use bpf_chk_filter, bpf_run_filter. update load_fns
- Lots of fixes courtesy of indan@nul.nu:
-- fix up load behavior, compat fixups, and merge alloc code,
-- renamed pc and dropped __packed, use bool compat.
-- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch
dependencies
v7: (massive overhaul thanks to Indan, others)
- added CONFIG_HAVE_ARCH_SECCOMP_FILTER
- merged into seccomp.c
- minimal seccomp_filter.h
- no config option (part of seccomp)
- no new prctl
- doesn't break seccomp on systems without asm/syscall.h
(works but arg access always fails)
- dropped seccomp_init_task, extra free functions, ...
- dropped the no-asm/syscall.h code paths
- merges with network sk_run_filter and sk_chk_filter
v6: - fix memory leak on attach compat check failure
- require no_new_privs || CAP_SYS_ADMIN prior to filter
installation. (luto@mit.edu)
- s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com)
- cleaned up Kconfig (amwang@redhat.com)
- on block, note if the call was compat (so the # means something)
v5: - uses syscall_get_arguments
(indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org)
- uses union-based arg storage with hi/lo struct to
handle endianness. Compromises between the two alternate
proposals to minimize extra arg shuffling and account for
endianness assuming userspace uses offsetof().
(mcgrathr@chromium.org, indan@nul.nu)
- update Kconfig description
- add include/seccomp_filter.h and add its installation
- (naive) on-demand syscall argument loading
- drop seccomp_t (eparis@redhat.com)
v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS
- now uses current->no_new_privs
(luto@mit.edu,torvalds@linux-foundation.com)
- assign names to seccomp modes (rdunlap@xenotime.net)
- fix style issues (rdunlap@xenotime.net)
- reworded Kconfig entry (rdunlap@xenotime.net)
v3: - macros to inline (oleg@redhat.com)
- init_task behavior fixed (oleg@redhat.com)
- drop creator entry and extra NULL check (oleg@redhat.com)
- alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com)
- adds tentative use of "always_unprivileged" as per
torvalds@linux-foundation.org and luto@mit.edu
v2: - (patch 2 only)
2012-02-09 17:50:58 +00:00
|
|
|
|
|
|
|
config SECCOMP_FILTER
|
|
|
|
def_bool y
|
|
|
|
depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
|
|
|
|
help
|
|
|
|
Enable tasks to build secure computing environments defined
|
|
|
|
in terms of Berkeley Packet Filter programs which implement
|
|
|
|
task-defined system call filtering polices.
|
|
|
|
|
|
|
|
See Documentation/prctl/seccomp_filter.txt for details.
|
|
|
|
|
2009-06-17 23:28:08 +00:00
|
|
|
source "kernel/gcov/Kconfig"
|