From 73684c0339ece43dd08fa9e630bf6627190ef8f4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Dec 2019 12:40:37 +0100 Subject: [PATCH] drop seccomp-test-seccomp_user_notif_flag_continue.patch from 5.3 and 5.4 --- ...flow-in-implicit-constant-conversion.patch | 2 +- ...est-seccomp_user_notif_flag_continue.patch | 167 ------------------ queue-5.3/series | 1 - ...flow-in-implicit-constant-conversion.patch | 2 +- ...est-seccomp_user_notif_flag_continue.patch | 167 ------------------ queue-5.4/series | 1 - 6 files changed, 2 insertions(+), 338 deletions(-) delete mode 100644 queue-5.3/seccomp-test-seccomp_user_notif_flag_continue.patch delete mode 100644 queue-5.4/seccomp-test-seccomp_user_notif_flag_continue.patch diff --git a/queue-5.3/seccomp-avoid-overflow-in-implicit-constant-conversion.patch b/queue-5.3/seccomp-avoid-overflow-in-implicit-constant-conversion.patch index adb4eb6387d..4a0204ed86b 100644 --- a/queue-5.3/seccomp-avoid-overflow-in-implicit-constant-conversion.patch +++ b/queue-5.3/seccomp-avoid-overflow-in-implicit-constant-conversion.patch @@ -56,7 +56,7 @@ Signed-off-by: Greg Kroah-Hartman #include #include #include -@@ -3082,7 +3083,7 @@ static int user_trap_syscall(int nr, uns +@@ -3077,7 +3078,7 @@ static int user_trap_syscall(int nr, uns return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog); } diff --git a/queue-5.3/seccomp-test-seccomp_user_notif_flag_continue.patch b/queue-5.3/seccomp-test-seccomp_user_notif_flag_continue.patch deleted file mode 100644 index ddffadd0936..00000000000 --- a/queue-5.3/seccomp-test-seccomp_user_notif_flag_continue.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 0eebfed2954f152259cae0ad57b91d3ea92968e8 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 20 Sep 2019 10:30:07 +0200 -Subject: seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE - -From: Christian Brauner - -commit 0eebfed2954f152259cae0ad57b91d3ea92968e8 upstream. - -Test whether a syscall can be performed after having been intercepted by -the seccomp notifier. The test uses dup() and kcmp() since it allows us to -nicely test whether the dup() syscall actually succeeded by comparing whether -the fds refer to the same underlying struct file. - -Signed-off-by: Christian Brauner -Cc: Andy Lutomirski -Cc: Will Drewry -Cc: Shuah Khan -Cc: Alexei Starovoitov -Cc: Daniel Borkmann -Cc: Martin KaFai Lau -Cc: Song Liu -Cc: Yonghong Song -Cc: Tycho Andersen -CC: Tyler Hicks -Cc: stable@vger.kernel.org -Cc: linux-kselftest@vger.kernel.org -Cc: netdev@vger.kernel.org -Cc: bpf@vger.kernel.org -Link: https://lore.kernel.org/r/20190920083007.11475-4-christian.brauner@ubuntu.com -Signed-off-by: Kees Cook -Signed-off-by: Greg Kroah-Hartman - ---- - tools/testing/selftests/seccomp/seccomp_bpf.c | 107 ++++++++++++++++++++++++++ - 1 file changed, 107 insertions(+) - ---- a/tools/testing/selftests/seccomp/seccomp_bpf.c -+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -166,6 +167,10 @@ struct seccomp_metadata { - - #define SECCOMP_RET_USER_NOTIF 0x7fc00000U - -+#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE -+#define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001 -+#endif -+ - #define SECCOMP_IOC_MAGIC '!' - #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr) - #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type) -@@ -3485,6 +3490,108 @@ TEST(seccomp_get_notif_sizes) - EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp)); - } - -+static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2) -+{ -+#ifdef __NR_kcmp -+ return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+TEST(user_notification_continue) -+{ -+ pid_t pid; -+ long ret; -+ int status, listener; -+ struct seccomp_notif req = {}; -+ struct seccomp_notif_resp resp = {}; -+ struct pollfd pollfd; -+ -+ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); -+ ASSERT_EQ(0, ret) { -+ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); -+ } -+ -+ listener = user_trap_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER); -+ ASSERT_GE(listener, 0); -+ -+ pid = fork(); -+ ASSERT_GE(pid, 0); -+ -+ if (pid == 0) { -+ int dup_fd, pipe_fds[2]; -+ pid_t self; -+ -+ ret = pipe(pipe_fds); -+ if (ret < 0) -+ exit(1); -+ -+ dup_fd = dup(pipe_fds[0]); -+ if (dup_fd < 0) -+ exit(1); -+ -+ self = getpid(); -+ -+ ret = filecmp(self, self, pipe_fds[0], dup_fd); -+ if (ret) -+ exit(2); -+ -+ exit(0); -+ } -+ -+ pollfd.fd = listener; -+ pollfd.events = POLLIN | POLLOUT; -+ -+ EXPECT_GT(poll(&pollfd, 1, -1), 0); -+ EXPECT_EQ(pollfd.revents, POLLIN); -+ -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); -+ -+ pollfd.fd = listener; -+ pollfd.events = POLLIN | POLLOUT; -+ -+ EXPECT_GT(poll(&pollfd, 1, -1), 0); -+ EXPECT_EQ(pollfd.revents, POLLOUT); -+ -+ EXPECT_EQ(req.data.nr, __NR_dup); -+ -+ resp.id = req.id; -+ resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; -+ -+ /* -+ * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other -+ * args be set to 0. -+ */ -+ resp.error = 0; -+ resp.val = USER_NOTIF_MAGIC; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); -+ EXPECT_EQ(errno, EINVAL); -+ -+ resp.error = USER_NOTIF_MAGIC; -+ resp.val = 0; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); -+ EXPECT_EQ(errno, EINVAL); -+ -+ resp.error = 0; -+ resp.val = 0; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) { -+ if (errno == EINVAL) -+ XFAIL(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE"); -+ } -+ -+skip: -+ EXPECT_EQ(waitpid(pid, &status, 0), pid); -+ EXPECT_EQ(true, WIFEXITED(status)); -+ EXPECT_EQ(0, WEXITSTATUS(status)) { -+ if (WEXITSTATUS(status) == 2) { -+ XFAIL(return, "Kernel does not support kcmp() syscall"); -+ return; -+ } -+ } -+} -+ - /* - * TODO: - * - add microbenchmarks diff --git a/queue-5.3/series b/queue-5.3/series index d00bee8f905..86bccea11a3 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -127,7 +127,6 @@ powerpc-xive-prevent-page-fault-issues-in-the-machine-crash-handler.patch powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch powerpc-xive-skip-ioremap-of-esb-pages-for-lsi-interrupts.patch video-hdmi-fix-avi-bar-unpack.patch -seccomp-test-seccomp_user_notif_flag_continue.patch quota-check-that-quota-is-not-dirty-before-release.patch ext2-check-err-when-partial-null.patch seccomp-avoid-overflow-in-implicit-constant-conversion.patch diff --git a/queue-5.4/seccomp-avoid-overflow-in-implicit-constant-conversion.patch b/queue-5.4/seccomp-avoid-overflow-in-implicit-constant-conversion.patch index adb4eb6387d..4a0204ed86b 100644 --- a/queue-5.4/seccomp-avoid-overflow-in-implicit-constant-conversion.patch +++ b/queue-5.4/seccomp-avoid-overflow-in-implicit-constant-conversion.patch @@ -56,7 +56,7 @@ Signed-off-by: Greg Kroah-Hartman #include #include #include -@@ -3082,7 +3083,7 @@ static int user_trap_syscall(int nr, uns +@@ -3077,7 +3078,7 @@ static int user_trap_syscall(int nr, uns return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog); } diff --git a/queue-5.4/seccomp-test-seccomp_user_notif_flag_continue.patch b/queue-5.4/seccomp-test-seccomp_user_notif_flag_continue.patch deleted file mode 100644 index ddffadd0936..00000000000 --- a/queue-5.4/seccomp-test-seccomp_user_notif_flag_continue.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 0eebfed2954f152259cae0ad57b91d3ea92968e8 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 20 Sep 2019 10:30:07 +0200 -Subject: seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE - -From: Christian Brauner - -commit 0eebfed2954f152259cae0ad57b91d3ea92968e8 upstream. - -Test whether a syscall can be performed after having been intercepted by -the seccomp notifier. The test uses dup() and kcmp() since it allows us to -nicely test whether the dup() syscall actually succeeded by comparing whether -the fds refer to the same underlying struct file. - -Signed-off-by: Christian Brauner -Cc: Andy Lutomirski -Cc: Will Drewry -Cc: Shuah Khan -Cc: Alexei Starovoitov -Cc: Daniel Borkmann -Cc: Martin KaFai Lau -Cc: Song Liu -Cc: Yonghong Song -Cc: Tycho Andersen -CC: Tyler Hicks -Cc: stable@vger.kernel.org -Cc: linux-kselftest@vger.kernel.org -Cc: netdev@vger.kernel.org -Cc: bpf@vger.kernel.org -Link: https://lore.kernel.org/r/20190920083007.11475-4-christian.brauner@ubuntu.com -Signed-off-by: Kees Cook -Signed-off-by: Greg Kroah-Hartman - ---- - tools/testing/selftests/seccomp/seccomp_bpf.c | 107 ++++++++++++++++++++++++++ - 1 file changed, 107 insertions(+) - ---- a/tools/testing/selftests/seccomp/seccomp_bpf.c -+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -166,6 +167,10 @@ struct seccomp_metadata { - - #define SECCOMP_RET_USER_NOTIF 0x7fc00000U - -+#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE -+#define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001 -+#endif -+ - #define SECCOMP_IOC_MAGIC '!' - #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr) - #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type) -@@ -3485,6 +3490,108 @@ TEST(seccomp_get_notif_sizes) - EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp)); - } - -+static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2) -+{ -+#ifdef __NR_kcmp -+ return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+TEST(user_notification_continue) -+{ -+ pid_t pid; -+ long ret; -+ int status, listener; -+ struct seccomp_notif req = {}; -+ struct seccomp_notif_resp resp = {}; -+ struct pollfd pollfd; -+ -+ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); -+ ASSERT_EQ(0, ret) { -+ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); -+ } -+ -+ listener = user_trap_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER); -+ ASSERT_GE(listener, 0); -+ -+ pid = fork(); -+ ASSERT_GE(pid, 0); -+ -+ if (pid == 0) { -+ int dup_fd, pipe_fds[2]; -+ pid_t self; -+ -+ ret = pipe(pipe_fds); -+ if (ret < 0) -+ exit(1); -+ -+ dup_fd = dup(pipe_fds[0]); -+ if (dup_fd < 0) -+ exit(1); -+ -+ self = getpid(); -+ -+ ret = filecmp(self, self, pipe_fds[0], dup_fd); -+ if (ret) -+ exit(2); -+ -+ exit(0); -+ } -+ -+ pollfd.fd = listener; -+ pollfd.events = POLLIN | POLLOUT; -+ -+ EXPECT_GT(poll(&pollfd, 1, -1), 0); -+ EXPECT_EQ(pollfd.revents, POLLIN); -+ -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); -+ -+ pollfd.fd = listener; -+ pollfd.events = POLLIN | POLLOUT; -+ -+ EXPECT_GT(poll(&pollfd, 1, -1), 0); -+ EXPECT_EQ(pollfd.revents, POLLOUT); -+ -+ EXPECT_EQ(req.data.nr, __NR_dup); -+ -+ resp.id = req.id; -+ resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; -+ -+ /* -+ * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other -+ * args be set to 0. -+ */ -+ resp.error = 0; -+ resp.val = USER_NOTIF_MAGIC; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); -+ EXPECT_EQ(errno, EINVAL); -+ -+ resp.error = USER_NOTIF_MAGIC; -+ resp.val = 0; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); -+ EXPECT_EQ(errno, EINVAL); -+ -+ resp.error = 0; -+ resp.val = 0; -+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) { -+ if (errno == EINVAL) -+ XFAIL(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE"); -+ } -+ -+skip: -+ EXPECT_EQ(waitpid(pid, &status, 0), pid); -+ EXPECT_EQ(true, WIFEXITED(status)); -+ EXPECT_EQ(0, WEXITSTATUS(status)) { -+ if (WEXITSTATUS(status) == 2) { -+ XFAIL(return, "Kernel does not support kcmp() syscall"); -+ return; -+ } -+ } -+} -+ - /* - * TODO: - * - add microbenchmarks diff --git a/queue-5.4/series b/queue-5.4/series index 4bc56723b37..afe14837ee3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -146,7 +146,6 @@ powerpc-xive-prevent-page-fault-issues-in-the-machine-crash-handler.patch powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch powerpc-xive-skip-ioremap-of-esb-pages-for-lsi-interrupts.patch video-hdmi-fix-avi-bar-unpack.patch -seccomp-test-seccomp_user_notif_flag_continue.patch quota-check-that-quota-is-not-dirty-before-release.patch ext2-check-err-when-partial-null.patch seccomp-avoid-overflow-in-implicit-constant-conversion.patch -- 2.47.3