On Tue, Jun 24, 2014 at 12:50 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Tue, Jun 24, 2014 at 12:34 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> On Tue, Jun 24, 2014 at 12:30 PM, Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>>> On 06/24, Andy Lutomirski wrote:
>>>>
>>>> On Tue, Jun 24, 2014 at 12:18 PM, Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>>>> >>
>>>> >> -struct seccomp { };
>>>> >> +struct seccomp {
>>>> >> + unsigned long flags;
>>>> >> +};
>>>> >
>>>> > A bit messy ;)
>>>> >
>>>> > I am wondering if we can simply do
>>>> >
>>>> > static inline bool current_no_new_privs(void)
>>>> > {
>>>> > if (current->no_new_privs)
>>>> > return true;
>>>> >
>>>> > #ifdef CONFIG_SECCOMP
>>>> > if (test_thread_flag(TIF_SECCOMP))
>>>> > return true;
>>>> > #endif
>>>>
>>>> Nope -- privileged users can enable seccomp w/o nnp.
>>>
>>> Indeed, I am stupid.
>>>
>>> Still it would be nice to cleanup this somehow. The new member is only
>>> used as a previous ->no_new_privs, just it is long to allow the concurent
>>> set/get. Logically it doesn't even belong to seccomp{}.
>>
>> We could add an unsigned long atomic flags field to task_struct.
>
> I thought that had gotten shot down originally, but given the current
> state of the patch series, it would be effectively identical, since my
> earlier attempt at keeping sizes the same (with alternate accessors)
> was too messy. I will change this as well.
>
>> Grr. Why isn't there an unsigned *int* atomic bitmask type? Even u64
>> would be better. unsigned long is useless.
>
> Useless beyond 32 bits. ;)
It basically guarantees 32 wasted bits on 64-bit systems.
I guess that unsigned long foo[64/BITS_PER_LONG] would work, bit that's hideous.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
