Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
seccomp: Invalidate seccomp mode to catch death failures
If seccomp tries to kill a process, it should never see that process
again. To enforce this proactively, switch the mode to something
impossible. If encountered: WARN, reject all syscalls, and attempt to
kill the process again even harder.
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
+10
+10
kernel/seccomp.c
+10
kernel/seccomp.c
···
29
29
#include <linux/syscalls.h>
30
30
#include <linux/sysctl.h>
31
31
32
+
/* Not exposed in headers: strictly internal use only. */
33
+
#define SECCOMP_MODE_DEAD (SECCOMP_MODE_FILTER + 1)
34
+
32
35
#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
33
36
#include <asm/syscall.h>
34
37
#endif
···
1013
1010
#ifdef SECCOMP_DEBUG
1014
1011
dump_stack();
1015
1012
#endif
1013
+
current->seccomp.mode = SECCOMP_MODE_DEAD;
1016
1014
seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true);
1017
1015
do_exit(SIGKILL);
1018
1016
}
···
1265
1261
case SECCOMP_RET_KILL_THREAD:
1266
1262
case SECCOMP_RET_KILL_PROCESS:
1267
1263
default:
1264
+
current->seccomp.mode = SECCOMP_MODE_DEAD;
1268
1265
seccomp_log(this_syscall, SIGSYS, action, true);
1269
1266
/* Dump core only if this is the last remaining thread. */
1270
1267
if (action != SECCOMP_RET_KILL_THREAD ||
···
1314
1309
return 0;
1315
1310
case SECCOMP_MODE_FILTER:
1316
1311
return __seccomp_filter(this_syscall, sd, false);
1312
+
/* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
1313
+
case SECCOMP_MODE_DEAD:
1314
+
WARN_ON_ONCE(1);
1315
+
do_exit(SIGKILL);
1316
+
return -1;
1317
1317
default:
1318
1318
BUG();
1319
1319
}