Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Apr 2017 15:23:02 -0700
From: Kees Cook <keescook@...omium.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: LKML <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, 
	Andy Lutomirski <luto@...capital.net>, Arnaldo Carvalho de Melo <acme@...nel.org>, 
	Casey Schaufler <casey@...aufler-ca.com>, Daniel Borkmann <daniel@...earbox.net>, 
	David Drysdale <drysdale@...gle.com>, "David S . Miller" <davem@...emloft.net>, 
	"Eric W . Biederman" <ebiederm@...ssion.com>, James Morris <james.l.morris@...cle.com>, 
	Jann Horn <jann@...jh.net>, Jonathan Corbet <corbet@....net>, Matthew Garrett <mjg59@...f.ucam.org>, 
	Michael Kerrisk <mtk.manpages@...il.com>, Paul Moore <paul@...l-moore.com>, 
	Sargun Dhillon <sargun@...gun.me>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, 
	Tejun Heo <tj@...nel.org>, Thomas Graf <tgraf@...g.ch>, Will Drewry <wad@...omium.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, 
	linux-security-module <linux-security-module@...r.kernel.org>, 
	Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter()
 with put_seccomp()

On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <mic@...ikod.net> wrote:
> The semantic is unchanged. This will be useful for the Landlock
> integration with seccomp (next commit).
>
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Andy Lutomirski <luto@...capital.net>
> Cc: Will Drewry <wad@...omium.org>
> ---
>  include/linux/seccomp.h |  4 ++--
>  kernel/fork.c           |  2 +-
>  kernel/seccomp.c        | 18 +++++++++++++-----
>  3 files changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> index ecc296c137cd..e25aee2cdfc0 100644
> --- a/include/linux/seccomp.h
> +++ b/include/linux/seccomp.h
> @@ -77,10 +77,10 @@ static inline int seccomp_mode(struct seccomp *s)
>  #endif /* CONFIG_SECCOMP */
>
>  #ifdef CONFIG_SECCOMP_FILTER
> -extern void put_seccomp_filter(struct task_struct *tsk);
> +extern void put_seccomp(struct task_struct *tsk);
>  extern void get_seccomp_filter(struct task_struct *tsk);
>  #else  /* CONFIG_SECCOMP_FILTER */
> -static inline void put_seccomp_filter(struct task_struct *tsk)
> +static inline void put_seccomp(struct task_struct *tsk)
>  {
>         return;
>  }
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 6c463c80e93d..a27d8e67ce33 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -363,7 +363,7 @@ void free_task(struct task_struct *tsk)
>  #endif
>         rt_mutex_debug_task_free(tsk);
>         ftrace_graph_exit_task(tsk);
> -       put_seccomp_filter(tsk);
> +       put_seccomp(tsk);
>         arch_release_task_struct(tsk);
>         if (tsk->flags & PF_KTHREAD)
>                 free_kthread_struct(tsk);
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 65f61077ad50..326f79e32127 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -64,6 +64,8 @@ struct seccomp_filter {
>  /* Limit any path through the tree to 256KB worth of instructions. */
>  #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
>
> +static void put_seccomp_filter(struct seccomp_filter *filter);

Can this be reorganized easily to avoid a forward-declaration?

> +
>  /*
>   * Endianness is explicitly ignored and left for BPF program authors to manage
>   * as per the specific architecture.
> @@ -314,7 +316,7 @@ static inline void seccomp_sync_threads(void)
>                  * current's path will hold a reference.  (This also
>                  * allows a put before the assignment.)
>                  */
> -               put_seccomp_filter(thread);
> +               put_seccomp_filter(thread->seccomp.filter);
>                 smp_store_release(&thread->seccomp.filter,
>                                   caller->seccomp.filter);
>
> @@ -476,10 +478,11 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter)
>         }
>  }
>
> -/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
> -void put_seccomp_filter(struct task_struct *tsk)
> +/* put_seccomp_filter - decrements the ref count of a filter */
> +static void put_seccomp_filter(struct seccomp_filter *filter)
>  {
> -       struct seccomp_filter *orig = tsk->seccomp.filter;
> +       struct seccomp_filter *orig = filter;
> +
>         /* Clean up single-reference branches iteratively. */
>         while (orig && atomic_dec_and_test(&orig->usage)) {
>                 struct seccomp_filter *freeme = orig;
> @@ -488,6 +491,11 @@ void put_seccomp_filter(struct task_struct *tsk)
>         }
>  }
>
> +void put_seccomp(struct task_struct *tsk)
> +{
> +       put_seccomp_filter(tsk->seccomp.filter);
> +}
> +
>  static void seccomp_init_siginfo(siginfo_t *info, int syscall, int reason)
>  {
>         memset(info, 0, sizeof(*info));
> @@ -914,7 +922,7 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
>         if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
>                 ret = -EFAULT;
>
> -       put_seccomp_filter(task);
> +       put_seccomp_filter(task->seccomp.filter);
>         return ret;

I don't like that the arguments to get_seccomp_filter() and
put_seccomp_filter() are now different. I think they should match for
readability.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.