On Thu, Jul 17, 2014 at 8:45 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Thu, Jul 17, 2014 at 8:04 AM, David Drysdale <drysdale@xxxxxxxxxx> wrote: >> On Wed, Jul 16, 2014 at 10:50 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >>> index 9065d2c79c56..2125b83ccfd4 100644 >>> +/** >>> + * seccomp_can_sync_threads: checks if all threads can be synchronized >>> + * >>> + * Expects sighand and cred_guard_mutex locks to be held. >>> + * >>> + * Returns 0 on success, -ve on error, or the pid of a thread which was >>> + * either not in the correct seccomp mode or it did not have an ancestral >>> + * seccomp filter. >>> + */ >>> +static inline pid_t seccomp_can_sync_threads(void) >>> +{ >>> + struct task_struct *thread, *caller; >>> + >>> + BUG_ON(!mutex_is_locked(¤t->signal->cred_guard_mutex)); >>> + BUG_ON(!spin_is_locked(¤t->sighand->siglock)); >>> + >>> + if (current->seccomp.mode != SECCOMP_MODE_FILTER) >>> + return -EACCES; >> >> Quick question -- is it possible to apply the first filter and also synchronize >> it across threads in the same operation? If so, does this arm also need to >> cope with seccomp.mode being SECCOMP_MODE_DISABLED? >> >> [seccomp_set_mode_filter() looks to call this via seccomp_attach_filter() >> before it does seccomp_assign_mode()] > > I don't entirely understand what you're asking. The threads gain the > filter and the mode before the current thread may gain the mode (if > it's the first time this has been called). Due to all the locks, > though, this isn't a problem. Is there a situation you see where there > might be a problem? Just to follow up for posterity on lkml: the problem was that mode was being set in "current" _after_ sync, so the mode check in can_sync would fail if "current" was not yet in filter mode. (i.e. the first attached filter could not have the TSYNC flag.) This check was redundant with the attach_filter entry point checks, and protected nothing, so it has been removed and a new test added to the seccomp regression test suite. :) I sent it as a new patch on top of v11, instead of respinning everything as v12. If that's not preferred, I can send v12 with this fix incorporated. Thanks! -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html