diff options
| author | Andrea Arcangeli <andrea@cpushare.com> | 2005-03-07 17:54:43 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-03-07 17:54:43 -0800 |
| commit | d949d0ec9c601f2b148bed3cdb5f87c052968554 (patch) | |
| tree | c2ce04fb1d3392cb6ea56088b1d6c007b15ca29b /kernel/seccomp.c | |
| parent | abbaf4f16cb54b73a644a2fcaa96c4103e99b374 (diff) | |
[PATCH] seccomp: secure computing support
I'd need it merged into mainline at some point, unless anybody has strong
arguments against it. All I can guarantee here, is that I'll back it out
myself in the future, iff Cpushare will fail and nobody else started using
it in the meantime for similar security purposes.
(akpm: project details are at http://www.cpushare.com/technical. It seems
like a good idea to me, and one which is worth supporting. I agree that for
this to be successful, the added robustness of Andrea's simple and specific
jail is worthwhile).
Signed-off-by: Andrea Arcangeli <andrea@cpushare.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel/seccomp.c')
| -rw-r--r-- | kernel/seccomp.c | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c new file mode 100644 index 000000000000..b6c5b35c737c --- /dev/null +++ b/kernel/seccomp.c @@ -0,0 +1,74 @@ +/* + * linux/kernel/seccomp.c + * + * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com> + * + * This defines a simple but solid secure-computing mode. + */ + +#include <linux/seccomp.h> +#include <linux/sched.h> +#include <asm/unistd.h> +#ifdef TIF_IA32 +#include <asm/ia32_unistd.h> +#endif + +/* #define SECCOMP_DEBUG 1 */ + +/* + * Secure computing mode 1 allows only read/write/exit/sigreturn. + * To be fully secure this must be combined with rlimit + * to limit the stack allocations too. + */ +static int mode1_syscalls[] = { + __NR_read, __NR_write, __NR_exit, + /* + * Allow either sigreturn or rt_sigreturn, newer archs + * like x86-64 only defines __NR_rt_sigreturn. + */ +#ifdef __NR_sigreturn + __NR_sigreturn, +#else + __NR_rt_sigreturn, +#endif + 0, /* null terminated */ +}; + +#ifdef TIF_IA32 +static int mode1_syscalls_32bit[] = { + __NR_ia32_read, __NR_ia32_write, __NR_ia32_exit, + /* + * Allow either sigreturn or rt_sigreturn, newer archs + * like x86-64 only defines __NR_rt_sigreturn. + */ + __NR_ia32_sigreturn, + 0, /* null terminated */ +}; +#endif + +void __secure_computing(int this_syscall) +{ + int mode = current->seccomp.mode; + int * syscall; + + switch (mode) { + case 1: + syscall = mode1_syscalls; +#ifdef TIF_IA32 + if (test_thread_flag(TIF_IA32)) + syscall = mode1_syscalls_32bit; +#endif + do { + if (*syscall == this_syscall) + return; + } while (*++syscall); + break; + default: + BUG(); + } + +#ifdef SECCOMP_DEBUG + dump_stack(); +#endif + do_exit(SIGKILL); +} |