[GIT PULL] seccomp updates for v5.11-rc1

From: Kees Cook
Date: Tue Dec 15 2020 - 15:33:09 EST

Next message: Guenter Roeck: "Re: [PATCH 5.4 00/36] 5.4.84-rc1 review"
Previous message: Joe Perches: "Re: [PATCH] atm: horizon: remove h from printk format specifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Linus,

Please pull these seccomp updates for v5.11-rc1. The major change here
is finally gaining seccomp constant-action bitmaps, which internally
reduces the seccomp overhead for many real-world syscall filters to O(1),
as discussed at Plumbers this year.

Thanks!

-Kees

The following changes since commit 4c222f31fb1db4d590503a181a6268ced9252379:

selftests/seccomp: sh: Fix register names (2020-11-20 11:03:08 -0800)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.11-rc1

for you to fetch changes up to 2c07343abd8932200a45ff7b10950e71081e9e77:

selftests/seccomp: Update kernel config (2020-12-02 11:20:54 -0800)

----------------------------------------------------------------
seccomp updates for v5.11-rc1

- Improve seccomp performance via constant-action bitmaps (YiFei Zhu & Kees Cook)

- Fix bogus __user annotations (Jann Horn)

- Add missed CONFIG for improved selftest coverage (Mickaël Salaün)

----------------------------------------------------------------
Jann Horn (1):
seccomp: Remove bogus __user annotations

Kees Cook (5):
x86: Enable seccomp architecture tracking
selftests/seccomp: Compare bitmap vs filter overhead
arm64: Enable seccomp architecture tracking
arm: Enable seccomp architecture tracking
Merge branch 'for-linus/seccomp' into for-next/seccomp

Mickaël Salaün (1):
selftests/seccomp: Update kernel config

YiFei Zhu (10):
seccomp/cache: Lookup syscall allowlist bitmap for fast path
seccomp/cache: Add "emulator" to check if filter is constant allow
csky: Enable seccomp architecture tracking
parisc: Enable seccomp architecture tracking
powerpc: Enable seccomp architecture tracking
riscv: Enable seccomp architecture tracking
s390: Enable seccomp architecture tracking
sh: Enable seccomp architecture tracking
xtensa: Enable seccomp architecture tracking
seccomp/cache: Report cache data through /proc/pid/seccomp_cache

arch/Kconfig | 17 ++
arch/arm/include/asm/Kbuild | 1 -
arch/arm/include/asm/seccomp.h | 11 +
arch/arm64/include/asm/seccomp.h | 9 +
arch/csky/include/asm/Kbuild | 1 -
arch/csky/include/asm/seccomp.h | 11 +
arch/parisc/include/asm/Kbuild | 1 -
arch/parisc/include/asm/seccomp.h | 22 ++
arch/powerpc/include/asm/seccomp.h | 23 ++
arch/riscv/include/asm/seccomp.h | 10 +
arch/s390/include/asm/seccomp.h | 9 +
arch/sh/include/asm/seccomp.h | 10 +
arch/x86/include/asm/seccomp.h | 20 ++
arch/xtensa/include/asm/Kbuild | 1 -
arch/xtensa/include/asm/seccomp.h | 11 +
fs/proc/base.c | 6 +
include/linux/seccomp.h | 7 +
kernel/seccomp.c | 296 ++++++++++++++++++++-
tools/testing/selftests/seccomp/config | 1 +
.../testing/selftests/seccomp/seccomp_benchmark.c | 151 +++++++++--
tools/testing/selftests/seccomp/settings | 2 +-
21 files changed, 590 insertions(+), 30 deletions(-)
create mode 100644 arch/arm/include/asm/seccomp.h
create mode 100644 arch/csky/include/asm/seccomp.h
create mode 100644 arch/parisc/include/asm/seccomp.h
create mode 100644 arch/xtensa/include/asm/seccomp.h

--
Kees Cook

Next message: Guenter Roeck: "Re: [PATCH 5.4 00/36] 5.4.84-rc1 review"
Previous message: Joe Perches: "Re: [PATCH] atm: horizon: remove h from printk format specifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]