[PATCH v2 0/3] seccomp: continue syscall from notifier

From: Christian Brauner
Date: Fri Sep 20 2019 - 04:30:37 EST


Hey everyone,

/* v2 */
This is the patchset coming out of the KSummit session Kees and I gave
in Lisbon last week (cf. [3] which also contains slides with more
details on related things such as deep argument inspection).
The simple idea is to extend the seccomp notifier to allow for the
continuation of a syscall. The rationale for this can be found in the
commit message to [1]. For the curious there is more detail in [2].
This patchset would unblock supervising an extended set of syscalls such
as mount() where a privileged process is supervising the syscalls of a
lesser privileged process and emulates the syscall for the latter in
userspace.
For more comments on security see [1] and the comments in
include/uapi/linux/seccomp.h added by this patchset.

Kees, if you prefer a pr the series can be pulled from:
git@xxxxxxxxxxxxxxxxxxx:pub/scm/linux/kernel/git/brauner/linux tags/seccomp-notify-syscall-continue-v5.5

For anyone who wants to play with this it's sitting in:
https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=seccomp_syscall_continue

/* v1 */
Link: https://lore.kernel.org/r/20190919095903.19370-1-christian.brauner@xxxxxxxxxx
- Kees Cook <keescook@xxxxxxxxxxxx>:
- dropped patch because it is already present in linux-next
[PATCH 2/4] seccomp: add two missing ptrace ifdefines
Link: https://lore.kernel.org/r/20190918084833.9369-3-christian.brauner@xxxxxxxxxx

/* v0 */
Link: https://lore.kernel.org/r/20190918084833.9369-1-christian.brauner@xxxxxxxxxx

Thanks!
Christian

*** BLURB HERE ***

Christian Brauner (3):
seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE
seccomp: avoid overflow in implicit constant conversion
seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE

include/uapi/linux/seccomp.h | 28 +++++
kernel/seccomp.c | 28 ++++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 110 +++++++++++++++++-
3 files changed, 159 insertions(+), 7 deletions(-)

--
2.23.0