[GIT PULL] security: seccomp changes for v4.21
Ingo Molnar
mingo at kernel.org
Tue Jan 8 06:46:05 UTC 2019
* Tycho Andersen <tycho at tycho.ws> wrote:
> Hi,
>
> On Mon, Jan 07, 2019 at 01:09:09PM -0800, Kees Cook wrote:
> > On Mon, Jan 7, 2019 at 2:15 AM Ingo Molnar <mingo at kernel.org> wrote:
> > >
> > >
> > > * James Morris <jmorris at namei.org> wrote:
> > >
> > > > From Kees:
> > > >
> > > > "- Add SECCOMP_RET_USER_NOTIF
> > > >
> > > > - seccomp fixes for sparse warnings and s390 build (Tycho)"
> > > >
> > > >
> > > >
> > > > The following changes since commit 1072bd678547f8663cfb81a22fdb50c589e4976e:
> > > >
> > > > security: fs: make inode explicitly non-modular (2018-12-12 14:58:51 -0800)
> > > >
> > > > are available in the Git repository at:
> > > >
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-seccomp
> > > >
> > > > for you to fetch changes up to 55b8cbe470d103b44104c64dbf89e5cad525d4e0:
> > > >
> > > > Merge tag 'seccomp-next-part2' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next-seccomp (2018-12-17 11:36:26 -0800)
> > > >
> > > > ----------------------------------------------------------------
> > > > James Morris (2):
> > > > Merge tag 'seccomp-next' of https://git.kernel.org/.../kees/linux into next-seccomp
> > > > Merge tag 'seccomp-next-part2' of https://git.kernel.org/.../kees/linux into next-seccomp
> > > >
> > > > Tycho Andersen (6):
> > > > seccomp: hoist struct seccomp_data recalculation higher
> > > > seccomp: switch system call argument type to void *
> > > > seccomp: add a return code to trap to userspace
> > > > samples: add an example of seccomp user trap
> > > > seccomp: fix poor type promotion
> > > > seccomp, s390: fix build for syscall type change
> > > >
> > > > Documentation/ioctl/ioctl-number.txt | 1 +
> > > > Documentation/userspace-api/seccomp_filter.rst | 84 +++++
> > > > arch/s390/kernel/compat_wrapper.c | 2 +-
> > > > include/linux/seccomp.h | 9 +-
> > > > include/linux/syscalls.h | 2 +-
> > > > include/uapi/linux/seccomp.h | 40 ++-
> > > > kernel/seccomp.c | 467 ++++++++++++++++++++++++-
> > > > samples/seccomp/.gitignore | 1 +
> > > > samples/seccomp/Makefile | 7 +-
> > > > samples/seccomp/user-trap.c | 375 ++++++++++++++++++++
> > > > tools/testing/selftests/seccomp/seccomp_bpf.c | 447 ++++++++++++++++++++++-
> > > > 11 files changed, 1411 insertions(+), 24 deletions(-)
> > > > create mode 100644 samples/seccomp/user-trap.c
> > >
> > > 32-bit x86 allyesconfig doesn't build:
> > >
> > > /usr/bin/ld: i386:x86-64 architecture of input file `samples/seccomp/user-trap.o' is incompatible with i386 output
> > > /usr/bin/ld: samples/seccomp/user-trap.o: file class ELFCLASS64 incompatible with ELFCLASS32
> > > /usr/bin/ld: final link failed: File in wrong format
> > > collect2: error: ld returned 1 exit status
> > > scripts/Makefile.host:99: recipe for target 'samples/seccomp/user-trap' failed
> > > make[2]: *** [samples/seccomp/user-trap] Error 1
> > >
> > > Is this a known regression?
> >
> > That looks like something is busted in the samples Makefile? Tycho,
> > are you able to reproduce this?
>
> Given that the samples build only happens when CROSS_COMPILE is not
> set, I'll see about digging up a 32-bit box. But I think the patch
> below should fix it, I'll send it out when I actually get it tested.
>
> Sorry for the breakage!
>
> Tycho
>
>
> From b53b390ab554ef6e5b995ac050718fd62ed0803e Mon Sep 17 00:00:00 2001
> From: Tycho Andersen <tycho at tycho.ws>
> Date: Mon, 7 Jan 2019 14:46:34 -0700
> Subject: [PATCH] samples/seccomp: fix 32-bit build
>
> Both the .o and the actual executable need to be built with -m32 in order
> to link correctly.
>
> Signed-off-by: Tycho Andersen <tycho at tycho.ws>
> Reported-by: Ingo Molnar <mingo at kernel.org>
> ---
> samples/seccomp/Makefile | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
> index 4920903c8009..a5607668a5c7 100644
> --- a/samples/seccomp/Makefile
> +++ b/samples/seccomp/Makefile
> @@ -37,6 +37,7 @@ HOSTCFLAGS_bpf-fancy.o += $(MFLAG)
> HOSTLDLIBS_bpf-direct += $(MFLAG)
> HOSTLDLIBS_bpf-fancy += $(MFLAG)
> HOSTLDLIBS_dropper += $(MFLAG)
> +HOSTLDLIBS_user-trap.o += $(MFLAG)
That did the trick - thanks!
Ingo
More information about the Linux-security-module-archive
mailing list