diff options
author | Andrea Arcangeli <andrea@cpushare.com> | 2005-09-09 13:01:51 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-09-09 13:57:30 -0700 |
commit | 4c7fc7220f6a3cce9b3f4bd66362176df67df577 (patch) | |
tree | 5824a334335dcc283a76ffad6294ed0904364157 /arch | |
parent | 4d666d7ada2e14d71d463c85b8b5ef2e2e6723f2 (diff) |
[PATCH] i386: seccomp fix for auditing/ptrace
This is the same issue as ppc64 before, when returning to userland we
shouldn't re-compute the seccomp check or the task could be killed during
sigreturn when orig_eax is overwritten by the sigreturn syscall. This was
found by Roland.
This was harmless from a security standpoint, but some i686 users reported
failures with auditing enabled system wide (some distro surprisingly makes
it the default) and I reproduced it too by keeping the whole workload under
strace -f.
Patch is tested and works for me under strace -f.
nobody@athlon:~/cpushare> strace -o /tmp/o -f python seccomp_test.py
make: Nothing to be done for `seccomp_test'.
Starting computing some malicious bytecode
init
load
start
stop
receive_data failure
kill
exit_code 0 signal 9
The malicious bytecode has been killed successfully by seccomp
Starting computing some safe bytecode
init
load
start
stop
174 counts
kill
exit_code 0 signal 0
The seccomp_test.py completed successfully, thank you for testing.
(akpm: collaterally cleaned up a bit of do_syscall_trace() too)
Signed-off-by: Andrea Arcangeli <andrea@cpushare.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/i386/kernel/ptrace.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/arch/i386/kernel/ptrace.c b/arch/i386/kernel/ptrace.c index 340980203b09..7b6368bf8974 100644 --- a/arch/i386/kernel/ptrace.c +++ b/arch/i386/kernel/ptrace.c @@ -694,17 +694,22 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code) __attribute__((regparm(3))) int do_syscall_trace(struct pt_regs *regs, int entryexit) { - int is_sysemu = test_thread_flag(TIF_SYSCALL_EMU), ret = 0; - /* With TIF_SYSCALL_EMU set we want to ignore TIF_SINGLESTEP for syscall - * interception. */ + int is_sysemu = test_thread_flag(TIF_SYSCALL_EMU); + /* + * With TIF_SYSCALL_EMU set we want to ignore TIF_SINGLESTEP for syscall + * interception + */ int is_singlestep = !is_sysemu && test_thread_flag(TIF_SINGLESTEP); + int ret = 0; /* do the secure computing check first */ - secure_computing(regs->orig_eax); + if (!entryexit) + secure_computing(regs->orig_eax); if (unlikely(current->audit_context)) { if (entryexit) - audit_syscall_exit(current, AUDITSC_RESULT(regs->eax), regs->eax); + audit_syscall_exit(current, AUDITSC_RESULT(regs->eax), + regs->eax); /* Debug traps, when using PTRACE_SINGLESTEP, must be sent only * on the syscall exit path. Normally, when TIF_SYSCALL_AUDIT is * not used, entry.S will call us only on syscall exit, not @@ -738,7 +743,7 @@ int do_syscall_trace(struct pt_regs *regs, int entryexit) /* the 0x80 provides a way for the tracing parent to distinguish between a syscall stop and SIGTRAP delivery */ /* Note that the debugger could change the result of test_thread_flag!*/ - ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); + ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) ? 0x80:0)); /* * this isn't the same as continuing with a signal, but it will do @@ -750,7 +755,7 @@ int do_syscall_trace(struct pt_regs *regs, int entryexit) current->exit_code = 0; } ret = is_sysemu; - out: +out: if (unlikely(current->audit_context) && !entryexit) audit_syscall_entry(current, AUDIT_ARCH_I386, regs->orig_eax, regs->ebx, regs->ecx, regs->edx, regs->esi); @@ -759,6 +764,7 @@ int do_syscall_trace(struct pt_regs *regs, int entryexit) regs->orig_eax = -1; /* force skip of syscall restarting */ if (unlikely(current->audit_context)) - audit_syscall_exit(current, AUDITSC_RESULT(regs->eax), regs->eax); + audit_syscall_exit(current, AUDITSC_RESULT(regs->eax), + regs->eax); return 1; } |