tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

seccomp: passthrough uprobe systemcall without filtering

Adding uprobe as another exception to the seccomp filter alongside
with the uretprobe syscall.

Same as the uretprobe the uprobe syscall is installed by kernel as
replacement for the breakpoint exception and is limited to x86_64
arch and isn't expected to ever be supported in i386.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250720112133.244369-21-jolsa@kernel.org

authored by

Jiri Olsa and committed by
Peter Zijlstra 89d1d843 52718438

+25 -7
+25 -7
kernel/seccomp.c
··· 741 741 } 742 742 743 743 #ifdef SECCOMP_ARCH_NATIVE 744 + static bool seccomp_uprobe_exception(struct seccomp_data *sd) 745 + { 746 + #if defined __NR_uretprobe || defined __NR_uprobe 747 + #ifdef SECCOMP_ARCH_COMPAT 748 + if (sd->arch == SECCOMP_ARCH_NATIVE) 749 + #endif 750 + { 751 + #ifdef __NR_uretprobe 752 + if (sd->nr == __NR_uretprobe) 753 + return true; 754 + #endif 755 + #ifdef __NR_uprobe 756 + if (sd->nr == __NR_uprobe) 757 + return true; 758 + #endif 759 + } 760 + #endif 761 + return false; 762 + } 763 + 744 764 /** 745 765 * seccomp_is_const_allow - check if filter is constant allow with given data 746 766 * @fprog: The BPF programs ··· 778 758 return false; 779 759 780 760 /* Our single exception to filtering. */ 781 - #ifdef __NR_uretprobe 782 - #ifdef SECCOMP_ARCH_COMPAT 783 - if (sd->arch == SECCOMP_ARCH_NATIVE) 784 - #endif 785 - if (sd->nr == __NR_uretprobe) 786 - return true; 787 - #endif 761 + if (seccomp_uprobe_exception(sd)) 762 + return true; 788 763 789 764 for (pc = 0; pc < fprog->len; pc++) { 790 765 struct sock_filter *insn = &fprog->filter[pc]; ··· 1057 1042 __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn, 1058 1043 #ifdef __NR_uretprobe 1059 1044 __NR_uretprobe, 1045 + #endif 1046 + #ifdef __NR_uprobe 1047 + __NR_uprobe, 1060 1048 #endif 1061 1049 -1, /* negative terminated */ 1062 1050 };