seccomp updates for v6.2-rc1

- Add missing kerndoc parameter (Randy Dunlap). - Improve seccomp selftest to check CAP_SYS_ADMIN (Gautam Menghani). - Fix allocation leak when cloned thread immediately dies (Kuniyuki Iwashima). -----BEGIN PGP SIGNATURE----- iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmOOjOAWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJuXHD/45wafnnxUkunfY8Sv6zHSV/93+ L7GHrEGgKe4fAdb64jy0yMWhffhYW95WvlWBPYE+RCyeRliMj+RNfiXZsUGJXLjB 4h7rPe8wzWllW7tcEAl+gHf++1/h9U4iiyMCFsT2MZv+rnQrK33H4cmDmNUHhd7K DcvoxzXkYLrs0pQTIb5xhfdKU0ZbcTEViPra5CbHASwuamVI6Qc5GupcUoPfr7um 2YhmyK4KZQt0zRKrdwyngeQgjuMfMQ1QsuEOhkHLSswWYrEC8xabGWEizS5Ow7Y7 qrz4KH9hTQgKZIKZ52B+6OslOYWVeYba1Zj3SkDiOAbY5ATzKwOOW+5hHGd+0VS5 r32KfC1Y51ZwoS/4hoW4JCITK31GvHT1zvHHnTL2S/ydpPQ72rAUcLNuxYi5Zs1I jDpOpEt8JNPoRqG2qngEHDsdmUqRwdDGkC2hJc8Kzv8aTBTBch1lwAxYIDLf8lqH t27WjZrmN7F+TR1mpTsrPrfi7btoP4ARMkOrDqsf03gfRWHVzpGpRqm9IWJR9/xI PRbWNMAzePSmcfWpo+oh8389Zybp97iCurwhlu8ZCWEUwPK7FMtf8cW78AprAUc2 QLIaOnhM2WlxmqZrGNy636LY25zZMqtS+95nKDFmii3PQU57tmByM36DP2IGuIie 6h+Pwyf1LJht7yiczg== =++ua -----END PGP SIGNATURE----- Merge tag 'seccomp-v6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp updates from Kees Cook: - Add missing kerndoc parameter (Randy Dunlap) - Improve seccomp selftest to check CAP_SYS_ADMIN (Gautam Menghani) - Fix allocation leak when cloned thread immediately dies (Kuniyuki Iwashima) * tag 'seccomp-v6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: document the "filter_count" field seccomp: Move copy_seccomp() to no failure path. selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp
2024-09-29 05:44:11 +00:00 · 2022-12-12 08:34:05 -08:00 · 2022-12-12 08:34:05 -08:00 · 667161ba0a
commit 667161ba0a
parent 059c4a341d b9069728a7
3 changed files with 16 additions and 8 deletions
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@ -27,6 +27,7 @@ struct seccomp_filter;
 *
 * @mode:  indicates one of the valid values above for controlled
 *         system calls available to a process.
+ * @filter_count: number of seccomp filters
 * @filter: must always point to a valid seccomp-filter or NULL as it is
 *          accessed without locking during system call entry.
 *
--- a/kernel/fork.c
+++ b/kernel/fork.c
@ -535,6 +535,9 @@ void put_task_stack(struct task_struct *tsk)

 void free_task(struct task_struct *tsk)
 {
+#ifdef CONFIG_SECCOMP
+	WARN_ON_ONCE(tsk->seccomp.filter);
+#endif
 	release_user_cpus_ptr(tsk);
 	scs_release(tsk);

@ -2406,12 +2409,6 @@ static __latent_entropy struct task_struct *copy_process(

 	spin_lock(&current->sighand->siglock);

-	/*
-	 * Copy seccomp details explicitly here, in case they were changed
-	 * before holding sighand lock.
-	 */
-	copy_seccomp(p);
-
 	rv_task_fork(p);

 	rseq_fork(p, clone_flags);
@ -2428,6 +2425,14 @@ static __latent_entropy struct task_struct *copy_process(
 		goto bad_fork_cancel_cgroup;
 	}

+	/* No more failure paths after this point. */
+
+	/*
+	 * Copy seccomp details explicitly here, in case they were changed
+	 * before holding sighand lock.
+	 */
+	copy_seccomp(p);
+
 	init_task_pid_links(p);
 	if (likely(p->pid)) {
 		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp)
 		.filter = filter,
 	};
 	long ret;
+	cap_t cap = cap_get_proc();
+	cap_flag_value_t is_cap_sys_admin = 0;

 	ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
 	ASSERT_LE(0, ret) {
@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp)
 	errno = 0;
 	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
 	/* Succeeds with CAP_SYS_ADMIN, fails without */
-	/* TODO(wad) check caps not euid */
-	if (geteuid()) {
+	cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin);
+	if (!is_cap_sys_admin) {
 		EXPECT_EQ(-1, ret);
 		EXPECT_EQ(EACCES, errno);
 	} else {