tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'seccomp-v5.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull seccomp fixes from Kees Cook:
"This gets the seccomp selftests running again on powerpc and sh, and
fixes an audit reporting oversight noticed in both seccomp and ptrace.

- Fix typos in seccomp selftests on powerpc and sh (Kees Cook)

- Fix PF_SUPERPRIV audit marking in seccomp and ptrace (Mickaël
Salaün)"

* tag 'seccomp-v5.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
selftests/seccomp: sh: Fix register names
selftests/seccomp: powerpc: Fix typo in macro variable name
seccomp: Set PF_SUPERPRIV when checking capability
ptrace: Set PF_SUPERPRIV when checking capability

Linus Torvalds ea0ab643 27bba9c5

+11 -18
+5 -11
kernel/ptrace.c
··· 264 264 return ret; 265 265 } 266 266 267 - static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns, 268 - unsigned int mode) 267 + static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode) 269 268 { 270 - int ret; 271 - 272 269 if (mode & PTRACE_MODE_NOAUDIT) 273 - ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT); 274 - else 275 - ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE); 276 - 277 - return ret == 0; 270 + return ns_capable_noaudit(ns, CAP_SYS_PTRACE); 271 + return ns_capable(ns, CAP_SYS_PTRACE); 278 272 } 279 273 280 274 /* Returns 0 on success, -errno on denial. */ ··· 320 326 gid_eq(caller_gid, tcred->sgid) && 321 327 gid_eq(caller_gid, tcred->gid)) 322 328 goto ok; 323 - if (ptrace_has_cap(cred, tcred->user_ns, mode)) 329 + if (ptrace_has_cap(tcred->user_ns, mode)) 324 330 goto ok; 325 331 rcu_read_unlock(); 326 332 return -EPERM; ··· 339 345 mm = task->mm; 340 346 if (mm && 341 347 ((get_dumpable(mm) != SUID_DUMP_USER) && 342 - !ptrace_has_cap(cred, mm->user_ns, mode))) 348 + !ptrace_has_cap(mm->user_ns, mode))) 343 349 return -EPERM; 344 350 345 351 return security_ptrace_access_check(task, mode);
+2 -3
kernel/seccomp.c
··· 38 38 #include <linux/filter.h> 39 39 #include <linux/pid.h> 40 40 #include <linux/ptrace.h> 41 - #include <linux/security.h> 41 + #include <linux/capability.h> 42 42 #include <linux/tracehook.h> 43 43 #include <linux/uaccess.h> 44 44 #include <linux/anon_inodes.h> ··· 558 558 * behavior of privileged children. 559 559 */ 560 560 if (!task_no_new_privs(current) && 561 - security_capable(current_cred(), current_user_ns(), 562 - CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) != 0) 561 + !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) 563 562 return ERR_PTR(-EACCES); 564 563 565 564 /* Allocate a new seccomp_filter */
+4 -4
tools/testing/selftests/seccomp/seccomp_bpf.c
··· 1758 1758 * and the code is stored as a positive value. \ 1759 1759 */ \ 1760 1760 if (_result < 0) { \ 1761 - SYSCALL_RET(_regs) = -result; \ 1761 + SYSCALL_RET(_regs) = -_result; \ 1762 1762 (_regs).ccr |= 0x10000000; \ 1763 1763 } else { \ 1764 - SYSCALL_RET(_regs) = result; \ 1764 + SYSCALL_RET(_regs) = _result; \ 1765 1765 (_regs).ccr &= ~0x10000000; \ 1766 1766 } \ 1767 1767 } while (0) ··· 1804 1804 #define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2] 1805 1805 #elif defined(__sh__) 1806 1806 # define ARCH_REGS struct pt_regs 1807 - # define SYSCALL_NUM(_regs) (_regs).gpr[3] 1808 - # define SYSCALL_RET(_regs) (_regs).gpr[0] 1807 + # define SYSCALL_NUM(_regs) (_regs).regs[3] 1808 + # define SYSCALL_RET(_regs) (_regs).regs[0] 1809 1809 #else 1810 1810 # error "Do not know how to find your architecture's registers and syscalls" 1811 1811 #endif