On Thu, Jan 16, 2025 at 6:40 AM Oleg Nesterov <oleg@xxxxxxxxxx> wrote: > > On 01/15, Eyal Birger wrote: > > > > On Wed, Jan 15, 2025 at 11:03 AM Oleg Nesterov <oleg@xxxxxxxxxx> wrote: > > > > > > On 01/15, Eyal Birger wrote: > > > > > > > > --- a/kernel/seccomp.c > > > > +++ b/kernel/seccomp.c > > > > @@ -1359,6 +1359,9 @@ int __secure_computing(const struct seccomp_data *sd) > > > > this_syscall = sd ? sd->nr : > > > > syscall_get_nr(current, current_pt_regs()); > > > > > > > > + if (this_syscall == __NR_uretprobe) > > > > + return 0; > > > > + > > > > > > Yes, this is what I meant. But we need the new arch-dependent helper. > > > > Do you mean because __NR_uretprobe is not defined for other architectures? > > Yes, and see below, > > > Is there an existing helper? I wasn't able to find one... > > No, > > > If not, would it just make sense to just wrap this check in > > #ifdef __NR_uretprobe ? > > Given that we need a simple fix for -stable, I won't argue. > Up to seccomp maintainers. > > But please note that this_syscall == __NR_uretprobe can be false > positive if is_compat_task(). > > __NR_uretprobe == __NR_ia32_rt_tgsigqueueinfo, so I guess we need > > #ifdef CONFIG_X86_64 > if (this_syscall == __NR_uretprobe && !in_ia32_syscall()) > return 0; > #endif > > I don't think we need to worry about the X86_X32 tasks... Ack. I agree. Do you want to send a formal patch, or should I? Eyal.
