Hi Michael,
On Thu, Jun 17, 2021 at 7:39 AM Michael Schmitz <schmitzmic@xxxxxxxxx> wrote:
Add secure_computing() call to syscall_trace_enter to actually
filter system calls.
Add necessary arch Kconfig options, define TIF_SECCOMP trace
flag and provide basic seccomp filter support in asm/syscall.h
syscall_get_nr currently uses the syscall nr stored in orig_d0
because we change d0 to a default return code before starting a
syscall trace. This may be inconsistent with syscall_rollback
copying orig_d0 to d0 (which we never check upon return from
trace). We use d0 for the return code from syscall_trace_enter
in entry.S currently, and could perhaps expand that to store
a new syscall number returned by the seccomp filter before
executing the syscall. This clearly needs some discussion.
Compiles (for Atari) and boots on ARAnyM, otherwise untested.
Signed-off-by: Michael Schmitz <schmitzmic@xxxxxxxxx>
---
arch/m68k/Kconfig | 2 ++
arch/m68k/include/asm/seccomp.h | 11 +++++++++++
arch/m68k/include/asm/syscall.h | 33 +++++++++++++++++++++++++++++++++
arch/m68k/include/asm/thread_info.h | 2 ++
arch/m68k/kernel/ptrace.c | 5 +++++
5 files changed, 53 insertions(+)
create mode 100644 arch/m68k/include/asm/seccomp.h
diff --git a/arch/m68k/Kconfig b/arch/m68k/Kconfig
index 372e4e6..deaea88 100644
--- a/arch/m68k/Kconfig
+++ b/arch/m68k/Kconfig
@@ -19,6 +19,8 @@ config M68K
select GENERIC_STRNCPY_FROM_USER if MMU
select GENERIC_STRNLEN_USER if MMU
select HAVE_AOUT if MMU
+ select HAVE_ARCH_SECCOMP
+ select HAVE_ARCH_SECCOMP_FILTER
So the status should be changed from "TODO" to "ok" in
Documentation/features/seccomp/seccomp-filter/arch-support.txt
BTW, there was also "[PATCH] [WIP] selftests/seccomp: Add m68k support"
https://lore.kernel.org/linux-m68k/alpine.DEB.2.21.2008261315050.25325@xxxxxxxxxxxxxx/
I kept on up-porting it, but haven't exercised it recently.
Recent version looks like (gmail-whitespace-damaged):
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -135,6 +135,8 @@ struct seccomp_data {
# define __NR_seccomp 337
# elif defined(__sh__)
# define __NR_seccomp 372
+# elif defined(__mc68000__)
+# define __NR_seccomp 380
# else
# warning "seccomp syscall number unknown for this architecture"
# define __NR_seccomp 0xffff
@@ -1815,6 +1817,10 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# define ARCH_REGS struct pt_regs
# define SYSCALL_NUM(_regs) (_regs).regs[3]
# define SYSCALL_RET(_regs) (_regs).regs[0]
+#elif defined(__mc68000__)
+# define ARCH_REGS struct pt_regs
+# define SYSCALL_NUM(_regs) (_regs).orig_d0
+# define SYSCALL_RET(_regs) (_regs).d0
#else
# error "Do not know how to find your architecture's registers and syscalls"
#endif
@@ -1879,7 +1885,7 @@ const bool ptrace_entry_set_syscall_ret =
* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
* architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
*/
-#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__i386__) || defined(__mips__) ||
defined(__mc68000)
# define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs))
# define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs))
#else
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
