Patch "seccomp: Fix CONFIG tests for Seccomp_filters" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 12 May 2021 08:28:36 -0400

This is a note to let you know that I've just added the patch titled

    seccomp: Fix CONFIG tests for Seccomp_filters

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     seccomp-fix-config-tests-for-seccomp_filters.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 54dd367489dee1f3c67c053044bd961d209b34dc
Author: Kenta.Tada@xxxxxxxx <Kenta.Tada@xxxxxxxx>
Date:   Sun Mar 21 15:52:19 2021 +0000

    seccomp: Fix CONFIG tests for Seccomp_filters
    
    [ Upstream commit 64bdc0244054f7d4bb621c8b4455e292f4e421bc ]
    
    Strictly speaking, seccomp filters are only used
    when CONFIG_SECCOMP_FILTER.
    This patch fixes the condition to enable "Seccomp_filters"
    in /proc/$pid/status.
    
    Signed-off-by: Kenta Tada <Kenta.Tada@xxxxxxxx>
    Fixes: c818c03b661c ("seccomp: Report number of loaded filters in /proc/$pid/status")
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/OSBPR01MB26772D245E2CF4F26B76A989F5669@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 65ec2029fa80..18a4588c35be 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -341,8 +341,10 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 	seq_put_decimal_ull(m, "NoNewPrivs:\t", task_no_new_privs(p));
 #ifdef CONFIG_SECCOMP
 	seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
+#ifdef CONFIG_SECCOMP_FILTER
 	seq_put_decimal_ull(m, "\nSeccomp_filters:\t",
 			    atomic_read(&p->seccomp.filter_count));
+#endif
 #endif
 	seq_puts(m, "\nSpeculation_Store_Bypass:\t");
 	switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
diff --git a/init/init_task.c b/init/init_task.c
index 16d14c2ebb55..5fa18ed59d33 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -210,7 +210,7 @@ struct task_struct init_task
 #ifdef CONFIG_SECURITY
 	.security	= NULL,
 #endif
-#ifdef CONFIG_SECCOMP
+#ifdef CONFIG_SECCOMP_FILTER
 	.seccomp	= { .filter_count = ATOMIC_INIT(0) },
 #endif
 };






