Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp1610985pxa; Fri, 28 Aug 2020 18:59:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwxui3U8rIJ5j/EQFkH9raeCKaOtjGvjyX2WcQ0nZwtFjsJQIwWWJkB9lOMuZPhMZQzCbi5 X-Received: by 2002:aa7:c716:: with SMTP id i22mr1643236edq.232.1598666385678; Fri, 28 Aug 2020 18:59:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598666385; cv=none; d=google.com; s=arc-20160816; b=s5GNcfQHFPpuoiFRTvy9xMOR4j4gjBJi8+Q4sK2gkkwlMV7xxQKiD/oAspOhImaM5o hEAG/tzjIKUGtnKHRWPWNTfogT/WgnMF1PvoKvaZn1ZFZL7YrQrKx5A7m/5wm55Oaa2n FLvvh44GrPI2ip5RgehgdvSh4z8mDHSFQSvfRuRdfpRvBY+fUQ4Z+sUNV+0vW6sim4Vr tukNs1l93QKRgeknqsYN6KtB078KBsDdGVbBqBRMZhXQCEqqI67IXrJXkluzIm1moImp 3WsiFvy3NzWQwN/Xk9uUO5DCqNAJsVHn9csiCRQXwr2zBBkBdpKbI1CDS1g8cYHOGWk3 qb/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date; bh=U6XyWApCSSbxKXUSdk5Oq+zo6//a9NZSevQlyKfzDhE=; b=UW7OsI2qjrAL6yJ+jqHMylXCaVNxE6Jo3F5KlDngE7QGdlYTYwQVUArEiI3MEHTqbw iUKlFbZ6+DvlB2Iv+DrV4R0am5uti6fih+5zzuMlyArcPMGWBKgo1LClsoZj0E2U2s0G Xhc6iSQtqQ/f9rb+LzrdEzXDni9f8hsiYLIltOAKoHO/GURySWx44omrZIj5hWvyb3ef 1IOhIh3yuT7Hq5D6gXErFm4GRzOcQwlQUe5kfAQJxqN0SXJnL6AEMI+TjVAjYJiEQA90 Oe/uVJPfDikMiegoHpp7qdbGQl9MA2C8gJ6LLt7r41H153GVamAABUkZ45CEzFo01ya+ w/Sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p8si820210eji.740.2020.08.28.18.59.22; Fri, 28 Aug 2020 18:59:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726452AbgH2B4O (ORCPT + 99 others); Fri, 28 Aug 2020 21:56:14 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:47880 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726392AbgH2B4O (ORCPT ); Fri, 28 Aug 2020 21:56:14 -0400 Date: Fri, 28 Aug 2020 21:56:13 -0400 From: Rich Felker To: linux-kernel@vger.kernel.org Cc: Kees Cook , Andy Lutomirski , Will Drewry Subject: [PATCH] seccomp: kill process instead of thread for unknown actions Message-ID: <20200829015609.GA32566@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Asynchronous termination of a thread outside of the userspace thread library's knowledge is an unsafe operation that leaves the process in an inconsistent, corrupt, and possibly unrecoverable state. In order to make new actions that may be added in the future safe on kernels not aware of them, change the default action from SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. Signed-off-by: Rich Felker --- This fundamental problem with SECCOMP_RET_KILL_THREAD, and that it should be considered unsafe and deprecated, was recently noted/fixed seccomp in the man page and its example. Here I've only changed the default action for new/unknown action codes. Ideally the behavior for strict seccomp mode would be changed too but I think that breaks stability policy; in any case it's less likely to be an issue since strict mode is hard or impossible to use reasonably in a multithreaded process. Unfortunately changing this now won't help older kernels where unknown new actions would still be handled unsafely, but at least it makes it so the problem will fade away over time. kernel/seccomp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d653d8426de9..ce1875fa6b39 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -910,10 +910,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, seccomp_init_siginfo(&info, this_syscall, data); do_coredump(&info); } - if (action == SECCOMP_RET_KILL_PROCESS) - do_group_exit(SIGSYS); - else + if (action == SECCOMP_RET_KILL_THREAD) do_exit(SIGSYS); + else + do_group_exit(SIGSYS); } unreachable(); -- 2.21.0