linux.git/tools/testing/selftests/seccomp, branch v5.7-rc2 Linux kernel source tree Merge tag 'spdx-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx 2020-04-03T20:12:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-04-03T20:12:26+00:00 ff2ae607c6f329d11a3b0528801ea7474be8c3e9 Pull SPDX updates from Greg KH: "Here are three SPDX patches for 5.7-rc1. One fixes up the SPDX tag for a single driver, while the other two go through the tree and add SPDX tags for all of the .gitignore files as needed. Nothing too complex, but you will get a merge conflict with your current tree, that should be trivial to handle (one file modified by two things, one file deleted.) All three of these have been in linux-next for a while, with no reported issues other than the merge conflict" * tag 'spdx-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx: ASoC: MT6660: make spdxcheck.py happy .gitignore: add SPDX License Identifier .gitignore: remove too obvious comments 
Pull SPDX updates from Greg KH:
 "Here are three SPDX patches for 5.7-rc1.

  One fixes up the SPDX tag for a single driver, while the other two go
  through the tree and add SPDX tags for all of the .gitignore files as
  needed.

  Nothing too complex, but you will get a merge conflict with your
  current tree, that should be trivial to handle (one file modified by
  two things, one file deleted.)

  All three of these have been in linux-next for a while, with no
  reported issues other than the merge conflict"

* tag 'spdx-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx:
  ASoC: MT6660: make spdxcheck.py happy
  .gitignore: add SPDX License Identifier
  .gitignore: remove too obvious comments
Merge tag 'linux-kselftest-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest 2020-04-01T23:09:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-04-01T23:09:12+00:00 397a97946798890b9bdaa6122fcfad7147690670 Pull kselftest update from Shuah Khan: "This kselftest update consists of: - resctrl_tests for resctrl file system. resctrl isn't included in the default TARGETS list in kselftest Makefile. It can be run manually. - Kselftest harness improvements. - Kselftest framework and individual test fixes to support runs on Kernel CI rings and other environments that use relocatable build and install features. - Minor cleanups and typo fixes" * tag 'linux-kselftest-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (25 commits) selftests: enforce local header dependency in lib.mk selftests: Fix memfd to support relocatable build (O=objdir) selftests: Fix seccomp to support relocatable build (O=objdir) selftests/harness: Handle timeouts cleanly selftests/harness: Move test child waiting logic selftests: android: Fix custom install from skipping test progs selftests: android: ion: Fix ionmap_test compile error selftests: Fix kselftest O=objdir build from cluttering top level objdir selftests/seccomp: Adjust test fixture counts selftests/ftrace: Fix typo in trigger-multihist.tc selftests/timens: Remove duplicated include <time.h> selftests/resctrl: fix spelling mistake "Errror" -> "Error" selftests/resctrl: Add the test in MAINTAINERS selftests/resctrl: Disable MBA and MBM tests for AMD selftests/resctrl: Use cache index3 id for AMD schemata masks selftests/resctrl: Add vendor detection mechanism selftests/resctrl: Add Cache Allocation Technology (CAT) selftest selftests/resctrl: Add Cache QoS Monitoring (CQM) selftest selftests/resctrl: Add MBA test selftests/resctrl: Add MBM test ... 
Pull kselftest update from Shuah Khan:
 "This kselftest update consists of:

   - resctrl_tests for resctrl file system. resctrl isn't included in
     the default TARGETS list in kselftest Makefile. It can be run
     manually.

   - Kselftest harness improvements.

   - Kselftest framework and individual test fixes to support runs on
     Kernel CI rings and other environments that use relocatable build
     and install features.

   - Minor cleanups and typo fixes"

* tag 'linux-kselftest-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (25 commits)
  selftests: enforce local header dependency in lib.mk
  selftests: Fix memfd to support relocatable build (O=objdir)
  selftests: Fix seccomp to support relocatable build (O=objdir)
  selftests/harness: Handle timeouts cleanly
  selftests/harness: Move test child waiting logic
  selftests: android: Fix custom install from skipping test progs
  selftests: android: ion: Fix ionmap_test compile error
  selftests: Fix kselftest O=objdir build from cluttering top level objdir
  selftests/seccomp: Adjust test fixture counts
  selftests/ftrace: Fix typo in trigger-multihist.tc
  selftests/timens: Remove duplicated include <time.h>
  selftests/resctrl: fix spelling mistake "Errror" -> "Error"
  selftests/resctrl: Add the test in MAINTAINERS
  selftests/resctrl: Disable MBA and MBM tests for AMD
  selftests/resctrl: Use cache index3 id for AMD schemata masks
  selftests/resctrl: Add vendor detection mechanism
  selftests/resctrl: Add Cache Allocation Technology (CAT) selftest
  selftests/resctrl: Add Cache QoS Monitoring (CQM) selftest
  selftests/resctrl: Add MBA test
  selftests/resctrl: Add MBM test
  ...
selftests: Fix seccomp to support relocatable build (O=objdir) 2020-03-26T21:28:19+00:00 Shuah Khan skhan@linuxfoundation.org 2020-03-25T23:16:02+00:00 860f0a7792a5abcaae047a114a8b24807ce0880f Fix seccomp relocatable builds. This is a simple fix to use the right lib.mk variable TEST_GEN_PROGS. Local header dependency is addressed in a change to lib.mk as a framework change that enforces the dependency without requiring changes to individual tests. The following use-cases work with this change: In seccomp directory: make all and make clean From top level from main Makefile: make kselftest-install O=objdir ARCH=arm64 HOSTCC=gcc \ CROSS_COMPILE=aarch64-linux-gnu- TARGETS=seccomp Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 
Fix seccomp relocatable builds. This is a simple fix to use the
right lib.mk variable TEST_GEN_PROGS. Local header dependency
is addressed in a change to lib.mk as a framework change that
enforces the dependency without requiring changes to individual
tests.

The following use-cases work with this change:

In seccomp directory:
make all and make clean

From top level from main Makefile:
make kselftest-install O=objdir ARCH=arm64 HOSTCC=gcc \
 CROSS_COMPILE=aarch64-linux-gnu- TARGETS=seccomp

Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
.gitignore: add SPDX License Identifier 2020-03-25T10:50:48+00:00 Masahiro Yamada masahiroy@kernel.org 2020-03-03T13:35:59+00:00 d198b34f3855eee2571dda03eea75a09c7c31480 Add SPDX License Identifier to all .gitignore files. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Add SPDX License Identifier to all .gitignore files.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
selftests/seccomp: Adjust test fixture counts 2020-03-13T19:32:04+00:00 Kees Cook keescook@chromium.org 2020-03-11T19:21:28+00:00 1ae81d78a8b2f6314fb90dc4296202611e710b37 The seccomp selftest reported the wrong test counts since it was using slightly the wrong API for defining text fixtures. Adjust the API usage. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 
The seccomp selftest reported the wrong test counts since it was using
slightly the wrong API for defining text fixtures. Adjust the API usage.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
seccomp: allow TSYNC and USER_NOTIF together 2020-03-04T22:48:54+00:00 Tycho Andersen tycho@tycho.ws 2020-03-04T18:05:17+00:00 51891498f2da78ee64dfad88fa53c9e85fb50abf The restriction introduced in 7a0df7fbc145 ("seccomp: Make NEW_LISTENER and TSYNC flags exclusive") is mostly artificial: there is enough information in a seccomp user notification to tell which thread triggered a notification. The reason it was introduced is because TSYNC makes the syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and there's no way to distinguish between these two cases (well, I suppose the caller could check all fds it has, then do the syscall, and if the return value was an fd that already existed, then it must be a thread id, but bleh). Matthew would like to use these two flags together in the Chrome sandbox which wants to use TSYNC for video drivers and NEW_LISTENER to proxy syscalls. So, let's fix this ugliness by adding another flag, TSYNC_ESRCH, which tells the kernel to just return -ESRCH on a TSYNC error. This way, NEW_LISTENER (and any subsequent seccomp() commands that want to return positive values) don't conflict with each other. Suggested-by: Matthew Denton <mpdenton@google.com> Signed-off-by: Tycho Andersen <tycho@tycho.ws> Link: https://lore.kernel.org/r/20200304180517.23867-1-tycho@tycho.ws Signed-off-by: Kees Cook <keescook@chromium.org> 
The restriction introduced in 7a0df7fbc145 ("seccomp: Make NEW_LISTENER and
TSYNC flags exclusive") is mostly artificial: there is enough information
in a seccomp user notification to tell which thread triggered a
notification. The reason it was introduced is because TSYNC makes the
syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and
there's no way to distinguish between these two cases (well, I suppose the
caller could check all fds it has, then do the syscall, and if the return
value was an fd that already existed, then it must be a thread id, but
bleh).

Matthew would like to use these two flags together in the Chrome sandbox
which wants to use TSYNC for video drivers and NEW_LISTENER to proxy
syscalls.

So, let's fix this ugliness by adding another flag, TSYNC_ESRCH, which
tells the kernel to just return -ESRCH on a TSYNC error. This way,
NEW_LISTENER (and any subsequent seccomp() commands that want to return
positive values) don't conflict with each other.

Suggested-by: Matthew Denton <mpdenton@google.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Link: https://lore.kernel.org/r/20200304180517.23867-1-tycho@tycho.ws
Signed-off-by: Kees Cook <keescook@chromium.org>
selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV 2020-01-02T21:15:45+00:00 Sargun Dhillon sargun@sargun.me 2019-12-30T20:38:11+00:00 e4ab5ccc357b978999328fadae164e098c26fa40 This adds logic to the user_notification_basic test to set a member of struct seccomp_notif to an invalid value to ensure that the kernel returns EINVAL if any of the struct seccomp_notif members are set to invalid values. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Suggested-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191230203811.4996-1-sargun@sargun.me Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> 
This adds logic to the user_notification_basic test to set a member
of struct seccomp_notif to an invalid value to ensure that the kernel
returns EINVAL if any of the struct seccomp_notif members are set to
invalid values.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Suggested-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191230203811.4996-1-sargun@sargun.me
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
selftests/seccomp: Zero out seccomp_notif 2020-01-02T21:03:42+00:00 Sargun Dhillon sargun@sargun.me 2019-12-29T06:24:49+00:00 88c13f8bd71472fbab5338b01d99122908c77e53 The seccomp_notif structure should be zeroed out prior to calling the SECCOMP_IOCTL_NOTIF_RECV ioctl. Previously, the kernel did not check whether these structures were zeroed out or not, so these worked. This patch zeroes out the seccomp_notif data structure prior to calling the ioctl. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Reviewed-by: Tycho Andersen <tycho@tycho.ws> Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191229062451.9467-1-sargun@sargun.me Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> 
The seccomp_notif structure should be zeroed out prior to calling the
SECCOMP_IOCTL_NOTIF_RECV ioctl. Previously, the kernel did not check
whether these structures were zeroed out or not, so these worked.

This patch zeroes out the seccomp_notif data structure prior to calling
the ioctl.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191229062451.9467-1-sargun@sargun.me
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Merge tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 2019-12-01T01:23:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2019-12-01T01:23:16+00:00 b94ae8ad9fe79da61231999f347f79645b909bda Pull seccomp updates from Kees Cook: "Mostly this is implementing the new flag SECCOMP_USER_NOTIF_FLAG_CONTINUE, but there are cleanups as well. - implement SECCOMP_USER_NOTIF_FLAG_CONTINUE (Christian Brauner) - fixes to selftests (Christian Brauner) - remove secure_computing() argument (Christian Brauner)" * tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test seccomp: simplify secure_computing() seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE seccomp: avoid overflow in implicit constant conversion 
Pull seccomp updates from Kees Cook:
 "Mostly this is implementing the new flag SECCOMP_USER_NOTIF_FLAG_CONTINUE,
  but there are cleanups as well.

   - implement SECCOMP_USER_NOTIF_FLAG_CONTINUE (Christian Brauner)

   - fixes to selftests (Christian Brauner)

   - remove secure_computing() argument (Christian Brauner)"

* tag 'seccomp-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
  seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test
  seccomp: simplify secure_computing()
  seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE
  seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE
  seccomp: avoid overflow in implicit constant conversion
riscv: add support for SECCOMP and SECCOMP_FILTER 2019-10-29T18:32:10+00:00 David Abdurachmanov david.abdurachmanov@sifive.com 2019-10-05T00:12:22+00:00 5340627e3fe08030988bdda46dd86cd5d5fb7517 This patch was extensively tested on Fedora/RISCV (applied by default on top of 5.2-rc7 kernel for <2 months). The patch was also tested with 5.3-rc on QEMU and SiFive Unleashed board. libseccomp (userspace) was rebased: https://github.com/seccomp/libseccomp/pull/134 Fully passes libseccomp regression testing (simulation and live). There is one failing kernel selftest: global.user_notification_signal v1 -> v2: - return immediately if secure_computing(NULL) returns -1 - fixed whitespace issues - add missing seccomp.h - remove patch #2 (solved now) - add riscv to seccomp kernel selftest Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com> Cc: keescook@chromium.org Cc: me@carlosedp.com Tested-by: Carlos de Paula <me@carlosedp.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/linux-riscv/CAEn-LTp=ss0Dfv6J00=rCAy+N78U2AmhqJNjfqjr2FDpPYjxEQ@mail.gmail.com/ Link: https://lore.kernel.org/linux-riscv/CAJr-aD=UnCN9E_mdVJ2H5nt=6juRSWikZnA5HxDLQxXLbsRz-w@mail.gmail.com/ [paul.walmsley@sifive.com: cleaned up Cc: lines; fixed spelling and checkpatch issues; updated to apply] Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com> 
This patch was extensively tested on Fedora/RISCV (applied by default on
top of 5.2-rc7 kernel for <2 months). The patch was also tested with 5.3-rc
on QEMU and SiFive Unleashed board.

libseccomp (userspace) was rebased:
https://github.com/seccomp/libseccomp/pull/134

Fully passes libseccomp regression testing (simulation and live).

There is one failing kernel selftest: global.user_notification_signal

v1 -> v2:
  - return immediately if secure_computing(NULL) returns -1
  - fixed whitespace issues
  - add missing seccomp.h
  - remove patch #2 (solved now)
  - add riscv to seccomp kernel selftest

Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Cc: keescook@chromium.org
Cc: me@carlosedp.com
Tested-by: Carlos de Paula <me@carlosedp.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/linux-riscv/CAEn-LTp=ss0Dfv6J00=rCAy+N78U2AmhqJNjfqjr2FDpPYjxEQ@mail.gmail.com/
Link: https://lore.kernel.org/linux-riscv/CAJr-aD=UnCN9E_mdVJ2H5nt=6juRSWikZnA5HxDLQxXLbsRz-w@mail.gmail.com/
[paul.walmsley@sifive.com: cleaned up Cc: lines; fixed spelling and
 checkpatch issues; updated to apply]
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>