On Mon, Feb 27, 2012 at 10:51 PM, Indan Zupancic <indan@xxxxxx> wrote: > On Sat, February 25, 2012 04:21, Will Drewry wrote: >> @@ -169,6 +170,7 @@ void free_task(struct task_struct *tsk) >> free_thread_info(tsk->stack); >> rt_mutex_debug_task_free(tsk); >> ftrace_graph_exit_task(tsk); >> + put_seccomp_filter(tsk->seccomp.filter); >> free_task_struct(tsk); >> } >> EXPORT_SYMBOL(free_task); >> @@ -1113,6 +1115,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, >> goto fork_out; >> >> ftrace_graph_init_task(p); >> + copy_seccomp(&p->seccomp, ¤t->seccomp); > > I agree it's more symmetrical when get_seccomp_filter() is used here > directly instead of copy_seccomp(). That should put Kees at ease. Yeah, that does feel more symmetrical. >> +static void seccomp_filter_log_failure(int syscall) >> +{ >> + int compat = 0; >> +#ifdef CONFIG_COMPAT >> + compat = is_compat_task(); >> +#endif >> + pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", >> + current->comm, task_pid_nr(current), >> + (compat ? "compat " : ""), >> + syscall, KSTK_EIP(current)); >> +} > > This should be at least rate limited, but could be dropped altogether, > as it's mostly useful for debugging filters. There is no kernel message > when a process is killed because it exceeds a ulimit either. The death > by SIGSYS is hopefully clear enough for users, and filter writers can > return different errno values when debugging where it goes wrong. I've already sent a patch to take care of this. It was redundant with the later call to audit_seccomp() on the exit path. https://lkml.org/lkml/2012/2/26/70 https://lkml.org/lkml/2012/2/27/369 >> @@ -48,6 +308,14 @@ void __secure_computing(int this_syscall) >> return; >> } while (*++syscall); >> break; >> +#ifdef CONFIG_SECCOMP_FILTER >> + case SECCOMP_MODE_FILTER: >> + if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW) >> + return; >> + seccomp_filter_log_failure(this_syscall); >> + exit_code = SIGSYS; > > Wouldn't it make more sense to always kill with SIGSYS, also for mode 1? > I suppose it's too late for that now. Right, this should (somewhat unfortunately) stay SIGKILL for mode 1. -Kees -- Kees Cook ChromeOS Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html