Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3478399pxu; Sun, 11 Oct 2020 11:07:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuWqCkVAhIvhiAP7ZAmUzyEBxaXDLIJxZlHoc/kz4JYXWJG+KQSrLjIkAclCKL4VtMqezq X-Received: by 2002:a17:906:350d:: with SMTP id r13mr4413719eja.117.1602439673622; Sun, 11 Oct 2020 11:07:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602439673; cv=none; d=google.com; s=arc-20160816; b=CgnUxHHiHXBNfkAPIcLWdzwGlgThGGoJO3Zp/U0brRK0Q7640BaudAe75B9jWd0xgt 7Vxrdl6zVMG68driM5iiYvg/zhaa70OAcbsQPLW4jyMb9Sw8c98UK8SJeqW1gvuQ229w wJ11yHtIrQGIV0wPStOOGKAsuSFMBQEiAQLiT1xGP3WHQmz7OJzhO3nzAoeJjxKUbTvI 0yDKYx7LgC9U4d1kLGgHoMUN5UIZjruJkcPpf2URctV5+dsE0m9YmHV6UqKhGISSq9cF oFZ8gHU8GqyNYZlfIZlpdpSeMjTajiOHQ1KW2VptFlHJ3/ahSgaATwgoN0e2MqeUbrI3 sqYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=SiGgaoVfTiGKzLu8iQvphsAHQCnyBXcNFjoytO86qNs=; b=qSd3jK4py7QDiJVKSWvyDvgsSwKoXAqD5TGEa1kC9s+nwFl/1lqxu+6fADN7b6ZR0x 8N6qE2Mk+i4dGV2kb2Rr2BeZWWGBjYNNm6UuexG3lnjqbVvyvZ9asVuJC/Yf5Dvhl8cn FKGM636jDS4jWrvKZN7yX50VUpIQUbwsrDiJlP+KK9o+GNCGLPG+3TQm2rftuqnlAGOW OIwWUtUfccXONBcLdhBLrJHOWlRwydG477oLsYjcjhz4ydO9Kq/1SdJ9fr5N2yaS79tH QBfIvflGPRatN8jKHtjhglmwsJa0PgwTIpeNBr4zU8mNoB1ik6Vaq6NEmyiSQIo7l/c9 79lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EqnDbMv2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r10si10630494eji.253.2020.10.11.11.07.31; Sun, 11 Oct 2020 11:07:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EqnDbMv2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729544AbgJKPs7 (ORCPT + 99 others); Sun, 11 Oct 2020 11:48:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729114AbgJKPsH (ORCPT ); Sun, 11 Oct 2020 11:48:07 -0400 Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5BCFC0613D0; Sun, 11 Oct 2020 08:48:06 -0700 (PDT) Received: by mail-il1-x144.google.com with SMTP id o18so13683554ill.2; Sun, 11 Oct 2020 08:48:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SiGgaoVfTiGKzLu8iQvphsAHQCnyBXcNFjoytO86qNs=; b=EqnDbMv2+QH/bUYXjHA4oEFiZK/SRlkK98epO2CpOCdeI35huS4KGSZHrIMOznMTkD FWi3vpmXZAXyc0BUsI7owhCPG2s2RNBLUbIFHiBlP88+c1FMPJxQGUzkrCiigh7o2ChL D3j8hXs6QJdJ9wb6VaDyAE7jnGzPgxEx70Jbm7FgUAYrx4yzY00uqs75PjUQNKcOtJCX H46fu2LSySIbNObwinw/JsvHKjMnd0pf725X8hPyY0ekpohIIia+uiiSOg2aZDKf/+Oi nq7r3NCLfyWCZ/Gej/QMixoUeWBHpFblB0xWi38uwQqamdnrO6ukjzrPaOJ3brK/204C 6V3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SiGgaoVfTiGKzLu8iQvphsAHQCnyBXcNFjoytO86qNs=; b=eBsJEQC3UYAksWTs7pJpktaFZocqkQ6fP/dwUaYVaWOmntROBEk/lVru+5r/WiaQE/ EEwnKP8eJ1I59bu1EZRjLRcbgl5M/fTMnWvQNTZ02Y9CFEbEtSL7diqVQOGjNWMtK8D7 I9bVuf+JpamR0kcGDbH3zgg5C3A7KTxTfI8Q74P/JoW261zPm1QX99GxADtP1nQUI1M0 UB89p02Mwiag7V/elaUEIQzwIA+HHBGIdYexqAMF1DIk89iKMYeMGiBe1kJ8XetcyxTp twTByFBmzIBv14XUYo4o2HKXnRL6xQYPk4FyxE0H5B5rkGN24nrb1m0ttQR70o/V+ctN GsZQ== X-Gm-Message-State: AOAM5320rx0x0mfxkfETglCgDTaTmG6j7pjosVS3xrwUWfUH+F04nfkW LEo4Ze9zOwFbLPIrTdc3gwV/MiBcNNxELw== X-Received: by 2002:a92:6811:: with SMTP id d17mr16188550ilc.145.1602431286122; Sun, 11 Oct 2020 08:48:06 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q16sm7502881ilj.71.2020.10.11.08.48.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Oct 2020 08:48:05 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux-foundation.org Cc: YiFei Zhu , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Aleksa Sarai , Andrea Arcangeli , Andy Lutomirski , David Laight , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jack Chen , Jann Horn , Josep Torrellas , Kees Cook , Tianyin Xu , Tobin Feldman-Fitzthum , Tycho Andersen , Valentin Rothberg , Will Drewry Subject: [PATCH v5 seccomp 3/5] x86: Enable seccomp architecture tracking Date: Sun, 11 Oct 2020 10:47:44 -0500 Message-Id: X-Mailer: git-send-email 2.28.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook Provide seccomp internals with the details to calculate which syscall table the running kernel is expecting to deal with. This allows for efficient architecture pinning and paves the way for constant-action bitmaps. Signed-off-by: Kees Cook Co-developed-by: YiFei Zhu Signed-off-by: YiFei Zhu --- arch/x86/include/asm/seccomp.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/arch/x86/include/asm/seccomp.h b/arch/x86/include/asm/seccomp.h index 2bd1338de236..b17d037c72ce 100644 --- a/arch/x86/include/asm/seccomp.h +++ b/arch/x86/include/asm/seccomp.h @@ -16,6 +16,23 @@ #define __NR_seccomp_sigreturn_32 __NR_ia32_sigreturn #endif +#ifdef CONFIG_X86_64 +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_X86_64 +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls +# ifdef CONFIG_COMPAT +# define SECCOMP_ARCH_COMPAT AUDIT_ARCH_I386 +# define SECCOMP_ARCH_COMPAT_NR IA32_NR_syscalls +# endif +/* + * x32 will have __X32_SYSCALL_BIT set in syscall number. We don't support + * caching them and they are treated as out of range syscalls, which will + * always pass through the BPF filter. + */ +#else /* !CONFIG_X86_64 */ +# define SECCOMP_ARCH_NATIVE AUDIT_ARCH_I386 +# define SECCOMP_ARCH_NATIVE_NR NR_syscalls +#endif + #include #endif /* _ASM_X86_SECCOMP_H */ -- 2.28.0