| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170922183458.GA136150@beast>
Date: Fri, 22 Sep 2017 11:34:58 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...capital.net>,
Kees Cook <keescook@...omium.org>,
Tyler Hicks <tyhicks@...onical.com>
Subject: [GIT PULL] seccomp updates for v4.14-rc2
Hi,
This is a direct seccomp pull request (similar to SELinux's for the v4.14
window); it's the same series that I sent to James earlier (notes below).
Please pull these seccomp changes for v4.14-rc2.
Thanks!
-Kees
The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:
Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v4.14-rc2
for you to fetch changes up to 6849243bf4c6155151b294e9f0e0dc9540d6f083:
samples: Unrename SECCOMP_RET_KILL (2017-08-16 20:26:57 -0700)
----------------------------------------------------------------
Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors.
----------------------------------------------------------------
Kees Cook (9):
selftests/seccomp: Add tests for basic ptrace actions
selftests/seccomp: Add simple seccomp overhead benchmark
selftests/seccomp: Refactor RET_ERRNO tests
seccomp: Provide matching filter for introspection
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
seccomp: Introduce SECCOMP_RET_KILL_PROCESS
seccomp: Implement SECCOMP_RET_KILL_PROCESS action
selftests/seccomp: Test thread vs process killing
samples: Unrename SECCOMP_RET_KILL
Tyler Hicks (6):
seccomp: Sysctl to display available actions
seccomp: Operation for checking if an action is available
seccomp: Sysctl to configure actions that are allowed to be logged
seccomp: Selftest for detection of filter flag support
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
seccomp: Action to log before allowing
Documentation/networking/filter.txt | 2 +-
Documentation/sysctl/kernel.txt | 1 +
Documentation/userspace-api/seccomp_filter.rst | 52 +-
include/linux/audit.h | 6 +-
include/linux/seccomp.h | 3 +-
include/uapi/linux/seccomp.h | 23 +-
kernel/seccomp.c | 321 ++++++++++-
tools/testing/selftests/seccomp/Makefile | 18 +-
.../testing/selftests/seccomp/seccomp_benchmark.c | 99 ++++
tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++++----
10 files changed, 1006 insertions(+), 129 deletions(-)
create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists