Hi Sasha, I'd prefer this was not backported -- it's not a bug fix, and if the behavioral change is actually disruptive, I'd like to keep the fall-out contained. :) Thanks! -Kees On Sun, Oct 18, 2020 at 03:16:42PM -0400, Sasha Levin wrote: > From: Rich Felker <dalias@xxxxxxxx> > > [ Upstream commit 4d671d922d51907bc41f1f7f2dc737c928ae78fd ] > > Asynchronous termination of a thread outside of the userspace thread > library's knowledge is an unsafe operation that leaves the process in > an inconsistent, corrupt, and possibly unrecoverable state. In order > to make new actions that may be added in the future safe on kernels > not aware of them, change the default action from > SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. > > Signed-off-by: Rich Felker <dalias@xxxxxxxx> > Link: https://lore.kernel.org/r/20200829015609.GA32566@xxxxxxxxxxxxxxxxxxxxx > [kees: Fixed up coredump selection logic to match] > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> > --- > kernel/seccomp.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 676d4af621038..f754c1087e413 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -1020,7 +1020,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > default: > seccomp_log(this_syscall, SIGSYS, action, true); > /* Dump core only if this is the last remaining thread. */ > - if (action == SECCOMP_RET_KILL_PROCESS || > + if (action != SECCOMP_RET_KILL_THREAD || > get_nr_threads(current) == 1) { > kernel_siginfo_t info; > > @@ -1030,10 +1030,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, > seccomp_init_siginfo(&info, this_syscall, data); > do_coredump(&info); > } > - if (action == SECCOMP_RET_KILL_PROCESS) > - do_group_exit(SIGSYS); > - else > + if (action == SECCOMP_RET_KILL_THREAD) > do_exit(SIGSYS); > + else > + do_group_exit(SIGSYS); > } > > unreachable(); > -- > 2.25.1 > -- Kees Cook
