Re: [PATCH 1/3] kconfig: consolidate arch-specific seccomp options

From: Mimi Zohar
Date: Thu Jan 02 2014 - 16:09:12 EST

Next message: Bjorn Helgaas: "Re: [RFC PATCH 1/3] pci: APM X-Gene PCIe controller driver"
Previous message: Steven Rostedt: "Re: [PATCH 15/17] tracing/uprobes: Add support for full argumentaccess methods"
In reply to: Dave Hansen: "[PATCH 3/3] Kconfig: organize memory-related config options"
Next in thread: Dave Hansen: "Re: [PATCH 1/3] kconfig: consolidate arch-specific seccomp options"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2014-01-02 at 12:20 -0800, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
>
> There are 7 architecures with "config SECCOMP". They all have
> virtually the same help text except for those referencing the
> /proc interface which was removed in 2007.
>
> There is *NOTHING* architecture-specific about SECCOMP except
> that the syscalls have per-architecture definitions, like every
> other syscall. It is absurd to have the option in the
> arch-specific menus.
>
> Move it to the security menu, consolidate the 7 down to one,
> and remove the embarassingly-ancient references to the /proc
> interface.
>
> Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Cc: linux-security-module@xxxxxxxxxxxxxxx
> Cc: linux-arch@xxxxxxxxxxxxxxx
> ---
>
> linux.git-davehans/arch/arm/Kconfig | 15 +--------------
> linux.git-davehans/arch/microblaze/Kconfig | 18 +-----------------
> linux.git-davehans/arch/mips/Kconfig | 18 +-----------------
> linux.git-davehans/arch/powerpc/Kconfig | 18 +-----------------
> linux.git-davehans/arch/s390/Kconfig | 18 +-----------------
> linux.git-davehans/arch/sh/Kconfig | 17 +----------------
> linux.git-davehans/arch/sparc/Kconfig | 18 +-----------------
> linux.git-davehans/arch/x86/Kconfig | 17 +----------------
> linux.git-davehans/security/Kconfig | 21 ++++++++++++++++++++-
> 9 files changed, 28 insertions(+), 132 deletions(-)
>
> diff -puN arch/arm/Kconfig~consolidate-seccomp-options arch/arm/Kconfig
> --- linux.git/arch/arm/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.590785275 -0800
> +++ linux.git-davehans/arch/arm/Kconfig 2014-01-02 11:23:58.609786130 -0800
> @@ -26,6 +26,7 @@ config ARM
> select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
> select HAVE_ARCH_KGDB
> select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
> + select HAVE_ARCH_SECCOMP
> select HAVE_ARCH_TRACEHOOK
> select HAVE_BPF_JIT
> select HAVE_CONTEXT_TRACKING
> @@ -1842,20 +1843,6 @@ config UACCESS_WITH_MEMCPY
> However, if the CPU data cache is using a write-allocate mode,
> this option is unlikely to provide any performance gain.
>
> -config SECCOMP
> - bool
> - prompt "Enable seccomp to safely compute untrusted bytecode"
> - ---help---
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> config CC_STACKPROTECTOR
> bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
> help
> diff -puN arch/microblaze/Kconfig~consolidate-seccomp-options arch/microblaze/Kconfig
> --- linux.git/arch/microblaze/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.592785365 -0800
> +++ linux.git-davehans/arch/microblaze/Kconfig 2014-01-02 11:23:58.609786130 -0800
> @@ -11,6 +11,7 @@ config MICROBLAZE
> select ARCH_WANT_OPTIONAL_GPIOLIB
> select HAVE_OPROFILE
> select HAVE_ARCH_KGDB
> + select HAVE_ARCH_SECCOMP
> select HAVE_DMA_ATTRS
> select HAVE_DMA_API_DEBUG
> select TRACING_SUPPORT
> @@ -106,23 +107,6 @@ config CMDLINE_FORCE
> Set this to have arguments from the default kernel command string
> override those passed by the boot loader.
>
> -config SECCOMP
> - bool "Enable seccomp to safely compute untrusted bytecode"
> - depends on PROC_FS
> - default y
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via /proc/<pid>/seccomp, it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y. Only embedded should say N here.
> -
> endmenu
>
> menu "Advanced setup"
> diff -puN arch/mips/Kconfig~consolidate-seccomp-options arch/mips/Kconfig
> --- linux.git/arch/mips/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.594785455 -0800
> +++ linux.git-davehans/arch/mips/Kconfig 2014-01-02 11:23:58.610786175 -0800
> @@ -10,6 +10,7 @@ config MIPS
> select PERF_USE_VMALLOC
> select HAVE_ARCH_KGDB
> select HAVE_ARCH_TRACEHOOK
> + select HAVE_ARCH_SECCOMP
> select ARCH_HAVE_CUSTOM_GPIO_H
> select HAVE_FUNCTION_TRACER
> select HAVE_FUNCTION_TRACE_MCOUNT_TEST
> @@ -2305,23 +2306,6 @@ config PHYSICAL_START
> specified in the "crashkernel=YM@XM" command line boot parameter
> passed to the panic-ed kernel).
>
> -config SECCOMP
> - bool "Enable seccomp to safely compute untrusted bytecode"
> - depends on PROC_FS
> - default y
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via /proc/<pid>/seccomp, it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y. Only embedded should say N here.
> -
> config CC_STACKPROTECTOR
> bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
> help
> diff -puN arch/powerpc/Kconfig~consolidate-seccomp-options arch/powerpc/Kconfig
> --- linux.git/arch/powerpc/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.596785545 -0800
> +++ linux.git-davehans/arch/powerpc/Kconfig 2014-01-02 11:23:58.611786220 -0800
> @@ -101,6 +101,7 @@ config PPC
> select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN
> select HAVE_KPROBES
> select HAVE_ARCH_KGDB
> + select HAVE_ARCH_SECCOMP
> select HAVE_KRETPROBES
> select HAVE_ARCH_TRACEHOOK
> select HAVE_MEMBLOCK
> @@ -626,23 +627,6 @@ config ARCH_WANTS_FREEZER_CONTROL
>
> source kernel/power/Kconfig
>
> -config SECCOMP
> - bool "Enable seccomp to safely compute untrusted bytecode"
> - depends on PROC_FS
> - default y
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via /proc/<pid>/seccomp, it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y. Only embedded should say N here.
> -
> endmenu
>
> config ISA_DMA_API
> diff -puN arch/s390/Kconfig~consolidate-seccomp-options arch/s390/Kconfig
> --- linux.git/arch/s390/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.597785590 -0800
> +++ linux.git-davehans/arch/s390/Kconfig 2014-01-02 11:23:58.611786220 -0800
> @@ -105,6 +105,7 @@ config S390
> select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
> select HAVE_ARCH_SECCOMP_FILTER
> + select HAVE_ARCH_SECCOMP
> select HAVE_ARCH_TRACEHOOK
> select HAVE_ARCH_TRANSPARENT_HUGEPAGE if 64BIT
> select HAVE_BPF_JIT if 64BIT && PACK_STACK
> @@ -608,23 +609,6 @@ menu "Executable file formats / Emulatio
>
> source "fs/Kconfig.binfmt"
>
> -config SECCOMP
> - def_bool y
> - prompt "Enable seccomp to safely compute untrusted bytecode"
> - depends on PROC_FS
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via /proc/<pid>/seccomp, it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y.
> -
> endmenu
>
> menu "Power Management"
> diff -puN arch/sh/Kconfig~consolidate-seccomp-options arch/sh/Kconfig
> --- linux.git/arch/sh/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.599785680 -0800
> +++ linux.git-davehans/arch/sh/Kconfig 2014-01-02 11:23:58.612786265 -0800
> @@ -10,6 +10,7 @@ config SUPERH
> select HAVE_OPROFILE
> select HAVE_GENERIC_DMA_COHERENT
> select HAVE_ARCH_TRACEHOOK
> + select HAVE_ARCH_SECCOMP
> select HAVE_DMA_API_DEBUG
> select HAVE_DMA_ATTRS
> select HAVE_PERF_EVENTS
> @@ -679,22 +680,6 @@ config PHYSICAL_START
> where the fail safe kernel needs to run at a different address
> than the panic-ed kernel.
>
> -config SECCOMP
> - bool "Enable seccomp to safely compute untrusted bytecode"
> - depends on PROC_FS
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via prctl, it cannot be disabled and the task is only
> - allowed to execute a few safe syscalls defined by each seccomp
> - mode.
> -
> - If unsure, say N.
> -
> config CC_STACKPROTECTOR
> bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
> depends on SUPERH32
> diff -puN arch/sparc/Kconfig~consolidate-seccomp-options arch/sparc/Kconfig
> --- linux.git/arch/sparc/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.601785770 -0800
> +++ linux.git-davehans/arch/sparc/Kconfig 2014-01-02 11:23:58.612786265 -0800
> @@ -66,6 +66,7 @@ config SPARC64
> select HAVE_SYSCALL_TRACEPOINTS
> select HAVE_CONTEXT_TRACKING
> select HAVE_DEBUG_KMEMLEAK
> + select HAVE_ARCH_SECCOMP if PROC_FS
> select RTC_DRV_CMOS
> select RTC_DRV_BQ4802
> select RTC_DRV_SUN4V
> @@ -222,23 +223,6 @@ config EARLYFB
> help
> Say Y here to enable a faster early framebuffer boot console.
>
> -config SECCOMP
> - bool "Enable seccomp to safely compute untrusted bytecode"
> - depends on SPARC64 && PROC_FS
> - default y
> - help
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via /proc/<pid>/seccomp, it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y. Only embedded should say N here.
> -
> config HOTPLUG_CPU
> bool "Support for hot-pluggable CPUs"
> depends on SPARC64 && SMP
> diff -puN arch/x86/Kconfig~consolidate-seccomp-options arch/x86/Kconfig
> --- linux.git/arch/x86/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.603785860 -0800
> +++ linux.git-davehans/arch/x86/Kconfig 2014-01-02 11:23:58.614786355 -0800
> @@ -101,6 +101,7 @@ config X86
> select GENERIC_SMP_IDLE_THREAD
> select ARCH_WANT_IPC_PARSE_VERSION if X86_32
> select HAVE_ARCH_SECCOMP_FILTER
> + select HAVE_ARCH_SECCOMP
> select BUILDTIME_EXTABLE_SORT
> select GENERIC_CMOS_UPDATE
> select HAVE_ARCH_SOFT_DIRTY
> @@ -1601,22 +1602,6 @@ config EFI_STUB
>
> See Documentation/efi-stub.txt for more information.
>
> -config SECCOMP
> - def_bool y
> - prompt "Enable seccomp to safely compute untrusted bytecode"
> - ---help---
> - This kernel feature is useful for number crunching applications
> - that may need to compute untrusted bytecode during their
> - execution. By using pipes or other transports made available to
> - the process as file descriptors supporting the read/write
> - syscalls, it's possible to isolate those applications in
> - their own address space using seccomp. Once seccomp is
> - enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> - and the task is only allowed to execute a few safe syscalls
> - defined by each seccomp mode.
> -
> - If unsure, say Y. Only embedded should say N here.
> -
> config CC_STACKPROTECTOR
> bool "Enable -fstack-protector buffer overflow detection"
> ---help---
> diff -puN security/Kconfig~consolidate-seccomp-options security/Kconfig
> --- linux.git/security/Kconfig~consolidate-seccomp-options 2014-01-02 11:23:58.604785905 -0800
> +++ linux.git-davehans/security/Kconfig 2014-01-02 11:23:58.614786355 -0800
> @@ -167,5 +167,24 @@ config DEFAULT_SECURITY
> default "yama" if DEFAULT_SECURITY_YAMA
> default "" if DEFAULT_SECURITY_DAC
>
> -endmenu
> +config HAVE_ARCH_SECCOMP
> + bool
> +
> +config SECCOMP
> + bool

Hi Dave,

I haven't looked at the other 'CONFIG_HAVE' options, but shouldn't
'HAVE_ARCH_SECCOMP' be dependent on 'SECCOMP'?

Mimi

> + default y
> + prompt "Enable seccomp to safely compute untrusted bytecode"
> + ---help---
> + This kernel feature is useful for number crunching applications
> + that may need to compute untrusted bytecode during their
> + execution. By using pipes or other transports made available to
> + the process as file descriptors supporting the read/write
> + syscalls, it's possible to isolate those applications in
> + their own address space using seccomp. Once seccomp is
> + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> + and the task is only allowed to execute a few safe syscalls
> + defined by each seccomp mode.
>
> + If unsure, say Y. Only embedded should say N here.
> +
> +endmenu
> _
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: [RFC PATCH 1/3] pci: APM X-Gene PCIe controller driver"
Previous message: Steven Rostedt: "Re: [PATCH 15/17] tracing/uprobes: Add support for full argumentaccess methods"
In reply to: Dave Hansen: "[PATCH 3/3] Kconfig: organize memory-related config options"
Next in thread: Dave Hansen: "Re: [PATCH 1/3] kconfig: consolidate arch-specific seccomp options"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]