lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <cover.1747839440.git.dvyukov@google.com>
Date: Wed, 21 May 2025 17:04:27 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: krisman@...labora.com, tglx@...utronix.de, luto@...nel.org, 
	peterz@...radead.org, keescook@...omium.org, gregory.price@...verge.com
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Marco Elver <elver@...gle.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v3 0/3] syscall_user_dispatch: Add PR_SYS_DISPATCH_INCLUSIVE_ON

syscall_user_dispatch: Add PR_SYS_DISPATCH_INCLUSIVE_ON

There are two possible scenarios for syscall filtering:
- having a trusted/allowed range of PCs, and intercepting everything else
- or the opposite: a single untrusted/intercepted range and allowing
   everything else (this is relevant for any kind of sandboxing scenario,
   or monitoring behavior of a single library)

The current API only allows the former use case due to allowed
range wrap-around check. Add PR_SYS_DISPATCH_INCLUSIVE_ON that
enables the second use case.

Cc: Gabriel Krisman Bertazi <krisman@...labora.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Peter Zijlstra (Intel) <peterz@...radead.org>
Cc: Kees Cook <keescook@...omium.org>
Cc: Gregory Price <gregory.price@...verge.com>
Cc: Marco Elver <elver@...gle.com>
Cc: linux-kernel@...r.kernel.org

Dmitry Vyukov (3):
  selftests: Fix errno checking in syscall_user_dispatch test
  syscall_user_dispatch: Add PR_SYS_DISPATCH_INCLUSIVE_ON
  selftests: Add tests for PR_SYS_DISPATCH_INCLUSIVE_ON

 .../admin-guide/syscall-user-dispatch.rst     |  23 +--
 include/uapi/linux/prctl.h                    |   7 +-
 kernel/entry/syscall_user_dispatch.c          |  36 +++--
 tools/include/uapi/linux/prctl.h              |   7 +-
 .../syscall_user_dispatch/sud_test.c          | 140 ++++++++++++------
 5 files changed, 146 insertions(+), 67 deletions(-)


base-commit: 4a95bc121ccdaee04c4d72f84dbfa6b880a514b6
-- 
2.49.0.1143.g0be31eac6b-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ