seccomp: passthrough uprobe systemcall without filtering

Adding uprobe as another exception to the seccomp filter alongside
with the uretprobe syscall.

Same as the uretprobe the uprobe syscall is installed by kernel as
replacement for the breakpoint exception and is limited to x86_64
arch and isn't expected to ever be supported in i386.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250720112133.244369-21-jolsa@kernel.org

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 41aa761c7738cefe01ca755f78f12844d7186e2a..7daf2da09e8e168dfeb63db54e8e677f685c2579 100644 (file)
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -741,6 +741,26 @@ out:
 }
 
 #ifdef SECCOMP_ARCH_NATIVE
+static bool seccomp_uprobe_exception(struct seccomp_data *sd)
+{
+#if defined __NR_uretprobe || defined __NR_uprobe
+#ifdef SECCOMP_ARCH_COMPAT
+       if (sd->arch == SECCOMP_ARCH_NATIVE)
+#endif
+       {
+#ifdef __NR_uretprobe
+               if (sd->nr == __NR_uretprobe)
+                       return true;
+#endif
+#ifdef __NR_uprobe
+               if (sd->nr == __NR_uprobe)
+                       return true;
+#endif
+       }
+#endif
+       return false;
+}
+
 /**
  * seccomp_is_const_allow - check if filter is constant allow with given data
  * @fprog: The BPF programs
@@ -758,13 +778,8 @@ static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog,
                return false;
 
        /* Our single exception to filtering. */
-#ifdef __NR_uretprobe
-#ifdef SECCOMP_ARCH_COMPAT
-       if (sd->arch == SECCOMP_ARCH_NATIVE)
-#endif
-               if (sd->nr == __NR_uretprobe)
-                       return true;
-#endif
+       if (seccomp_uprobe_exception(sd))
+               return true;
 
        for (pc = 0; pc < fprog->len; pc++) {
                struct sock_filter *insn = &fprog->filter[pc];
@@ -1042,6 +1057,9 @@ static const int mode1_syscalls[] = {
        __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
 #ifdef __NR_uretprobe
        __NR_uretprobe,
+#endif
+#ifdef __NR_uprobe
+       __NR_uprobe,
 #endif
        -1, /* negative terminated */
 };