sh: seccomp support. (c4637d47) · Commits · EulixOS / Software / Kernel

arch/sh/Kconfig

+17 −0

Original line number	Diff line number	Diff line
		@@ -483,6 +483,23 @@ config CRASH_DUMP

		For more details see Documentation/kdump/kdump.txt

		config SECCOMP
		bool "Enable seccomp to safely compute untrusted bytecode"
		depends on PROC_FS
		default y
		help
		This kernel feature is useful for number crunching applications
		that may need to compute untrusted bytecode during their
		execution. By using pipes or other transports made available to
		the process as file descriptors supporting the read/write
		syscalls, it's possible to isolate those applications in
		their own address space using seccomp. Once seccomp is
		enabled via prctl, it cannot be disabled and the task is only
		allowed to execute a few safe syscalls defined by each seccomp
		mode.

		If unsure, say N.

		config SMP
		bool "Symmetric multi-processing support"
		depends on SYS_SUPPORTS_SMP

0 → 100644

+10 −0

Original line number	Diff line number	Diff line
		#ifndef __ASM_SECCOMP_H

		#include <linux/unistd.h>

		#define __NR_seccomp_read __NR_read
		#define __NR_seccomp_write __NR_write
		#define __NR_seccomp_exit __NR_exit
		#define __NR_seccomp_sigreturn __NR_rt_sigreturn

		#endif /* __ASM_SECCOMP_H */

+4 −2

Original line number	Diff line number	Diff line
		@@ -117,7 +117,8 @@ static inline struct thread_info *current_thread_info(void)
		#define TIF_NEED_RESCHED 2 /* rescheduling necessary */
		#define TIF_RESTORE_SIGMASK 3 /* restore signal mask in do_signal() */
		#define TIF_SINGLESTEP 4 /* singlestepping active */
		#define TIF_SYSCALL_AUDIT 5
		#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
		#define TIF_SECCOMP 6 /* secure computing */
		#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
		#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */
		#define TIF_MEMDIE 18
		@@ -129,6 +130,7 @@ static inline struct thread_info *current_thread_info(void)
		#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
		#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
		#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
		#define _TIF_SECCOMP (1 << TIF_SECCOMP)
		#define _TIF_USEDFPU (1 << TIF_USEDFPU)
		#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
		#define _TIF_FREEZE (1 << TIF_FREEZE)
		@@ -141,7 +143,7 @@ static inline struct thread_info *current_thread_info(void)

		/* work to do in syscall trace */
		#define _TIF_WORK_SYSCALL_MASK (_TIF_SYSCALL_TRACE \| _TIF_SINGLESTEP \| \
		_TIF_SYSCALL_AUDIT)
		_TIF_SYSCALL_AUDIT \| _TIF_SECCOMP)

		/* work to do on any return to u-space */
		#define _TIF_ALLWORK_MASK (_TIF_SYSCALL_TRACE \| _TIF_SIGPENDING \| \

+3 −0

Original line number	Diff line number	Diff line
		@@ -20,6 +20,7 @@
		#include <linux/signal.h>
		#include <linux/io.h>
		#include <linux/audit.h>
		#include <linux/seccomp.h>
		#include <asm/uaccess.h>
		#include <asm/pgtable.h>
		#include <asm/system.h>
		@@ -276,6 +277,8 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
		{
		struct task_struct *tsk = current;

		secure_computing(regs->regs[0]);

		if (unlikely(current->audit_context) && entryexit)
		audit_syscall_exit(AUDITSC_RESULT(regs->regs[0]),
		regs->regs[0]);

+3 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,7 @@
		#include <linux/signal.h>
		#include <linux/syscalls.h>
		#include <linux/audit.h>
		#include <linux/seccomp.h>
		#include <asm/io.h>
		#include <asm/uaccess.h>
		#include <asm/pgtable.h>
		@@ -277,6 +278,8 @@ asmlinkage void syscall_trace(struct pt_regs *regs, int entryexit)
		{
		struct task_struct *tsk = current;

		secure_computing(regs->regs[9]);

		if (unlikely(current->audit_context) && entryexit)
		audit_syscall_exit(AUDITSC_RESULT(regs->regs[9]),
		regs->regs[9]);