Merge tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull seccomp updates from Kees Cook:
"Major additions:
- sysctl and seccomp operation to discover available actions
(tyhicks)
- new per-filter configurable logging infrastructure and sysctl
(tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action
- self-tests for new behaviors"
[ This is the seccomp part of the security pull request during the merge
window that was nixed due to unrelated problems - Linus ]
* tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
samples: Unrename SECCOMP_RET_KILL
selftests/seccomp: Test thread vs process killing
seccomp: Implement SECCOMP_RET_KILL_PROCESS action
seccomp: Introduce SECCOMP_RET_KILL_PROCESS
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
seccomp: Action to log before allowing
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
seccomp: Selftest for detection of filter flag support
seccomp: Sysctl to configure actions that are allowed to be logged
seccomp: Operation for checking if an action is available
seccomp: Sysctl to display available actions
seccomp: Provide matching filter for introspection
selftests/seccomp: Refactor RET_ERRNO tests
selftests/seccomp: Add simple seccomp overhead benchmark
selftests/seccomp: Add tests for basic ptrace actions
This commit is contained in:
Linus Torvalds
@@ -337,7 +337,7 @@ Examples for low-level BPF:
|
||||
jeq #14, good /* __NR_rt_sigprocmask */
|
||||
jeq #13, good /* __NR_rt_sigaction */
|
||||
jeq #35, good /* __NR_nanosleep */
|
||||
bad: ret #0 /* SECCOMP_RET_KILL */
|
||||
bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
|
||||
good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
|
||||
|
||||
The above example code can be placed into a file (here called "foo"), and
|
||||
|
||||
Reference in New Issue
Block a user