----- Original message ----- > On Fri, Mar 2, 2012 at 12:24 PM, Serge E. Hallyn <serge@xxxxxxxxxx> > wrote: > > Quoting Will Drewry (wad@xxxxxxxxxxxx): > > > This change adds the SECCOMP_RET_ERRNO as a valid return value from a > > > seccomp filter. Additionally, it makes the first use of the lower > > > 16-bits for storing a filter-supplied errno. 16-bits is more than > > > enough for the errno-base.h calls. > > > > > > Returning errors instead of immediately terminating processes that > > > violate seccomp policy allow for broader use of this functionality > > > for kernel attack surface reduction. For example, a linux container > > > could maintain a whitelist of pre-existing system calls but drop > > > all new ones with errnos. This would keep a logically static attack > > > surface while providing errnos that may allow for graceful failure > > > without the downside of do_exit() on a bad call. > > > > > > v12: - move to WARN_ON if filter is NULL > > > (oleg@xxxxxxxxxx, luto@xxxxxxx, keescook@xxxxxxxxxxxx) > > > - return immediately for filter==NULL (keescook@xxxxxxxxxxxx) > > > - change evaluation to only compare the ACTION so that layered > > > errnos don't result in the lowest one being returned. > > > (keeschook@xxxxxxxxxxxx) > > > v11: - check for NULL filter (keescook@xxxxxxxxxxxx) > > > v10: - change loaders to fn > > > v9: - n/a > > > v8: - update Kconfig to note new need for syscall_set_return_value. > > > - reordered such that TRAP behavior follows on later. > > > - made the for loop a little less indent-y > > > v7: - introduced > > > > > > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> > > > Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx> > > > > Clever :) > > > > Thanks, Will. > > > > For patches 1-7, > > > > Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > > Thanks! > > > The -1 return value from __secure_computing_int() seems like it > > could stand #define, like > > > > #define SECCOMP_DONTRUN -1 > > #define SECCOMP_RUN 0 > > > > or something Maybe not, but -1 always scares me and I had to look back > > and forth a few times to make sure it was doing what I would want. > > Works for me. The -1 just matches what syscall emulation, etc does on > x86. I'll add this to the tweaks for v14. > > Thanks! Well, in that case maybe it's not worth it. Sounds like ignorance on my part. thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
