| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202508251051.E222C34D2F@keescook>
Date: Mon, 25 Aug 2025 10:56:05 -0700
From: Kees Cook <kees@...nel.org>
To: Wake Liu <wakel@...gle.com>
Cc: Andy Lutomirski <luto@...capital.net>, Will Drewry <wad@...omium.org>,
Shuah Khan <shuah@...nel.org>, linux-kselftest@...r.kernel.org,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH] selftests/seccomp: improve backwards compatibility for
older kernels
On Fri, Aug 08, 2025 at 01:46:13AM +0800, Wake Liu wrote:
> This commit introduces checks for kernel version and seccomp filter flag
> support to the seccomp selftests. It also includes conditional header
> inclusions using __GLIBC_PREREQ.
>
> Some tests were gated by kernel version, and adjustments were made for
> flags introduced after kernel 5.4. This ensures the selftests can run
> and pass correctly on kernel versions 5.4 and later, preventing failures
> due to features not present in older kernels.
>
> The use of __GLIBC_PREREQ ensures proper compilation and functionality
> across different glibc versions in a mainline Linux kernel context.
> While it might appear redundant in specific build environments due to
> global overrides, it is crucial for upstream correctness and portability.
>
> Signed-off-by: Wake Liu <wakel@...gle.com>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 108 ++++++++++++++++--
> 1 file changed, 99 insertions(+), 9 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 61acbd45ffaa..9b660cff5a4a 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -13,12 +13,14 @@
> * we need to use the kernel's siginfo.h file and trick glibc
> * into accepting it.
> */
> +#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
> #if !__GLIBC_PREREQ(2, 26)
> # include <asm/siginfo.h>
> # define __have_siginfo_t 1
> # define __have_sigval_t 1
> # define __have_sigevent_t 1
> #endif
> +#endif
>
> #include <errno.h>
> #include <linux/filter.h>
> @@ -300,6 +302,26 @@ int seccomp(unsigned int op, unsigned int flags, void *args)
> }
> #endif
>
> +int seccomp_flag_supported(int flag)
> +{
> + /*
> + * Probes if a seccomp filter flag is supported by the kernel.
> + *
> + * When an unsupported flag is passed to seccomp(SECCOMP_SET_MODE_FILTER, ...),
> + * the kernel returns EINVAL.
> + *
> + * When a supported flag is passed, the kernel proceeds to validate the
> + * filter program pointer. By passing NULL for the filter program,
> + * the kernel attempts to dereference a bad address, resulting in EFAULT.
> + *
> + * Therefore, checking for EFAULT indicates that the flag itself was
> + * recognized and supported by the kernel.
> + */
> + if (seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && errno == EFAULT)
> + return 1;
> + return 0;
> +}
I like this!
> +
> #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
> #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
> #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
> @@ -2436,13 +2458,12 @@ TEST(detect_seccomp_filter_flags)
> ASSERT_NE(ENOSYS, errno) {
> TH_LOG("Kernel does not support seccomp syscall!");
> }
> - EXPECT_EQ(-1, ret);
> - EXPECT_EQ(EFAULT, errno) {
> - TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
> - flag);
> - }
>
> - all_flags |= flag;
> + if (seccomp_flag_supported(flag))
> + all_flags |= flag;
> + else
> + TH_LOG("Filter flag (0x%X) is not found to be supported!",
> + flag);
So I've pushed back on "backward compatible" changes to this selftest
because I want it to be validating the _latest_ seccomp. This allows for
expected flags to be missing.
Is there perhaps a way that the backward compat checking could be a
commandline flag or something? That way by default it looks strictly the
more current seccomp features.
-Kees
--
Kees Cook
Powered by blists - more mailing lists