seccomp: simplify secure_computing()
Afaict, the struct seccomp_data argument to secure_computing() is unused
by all current callers. So let's remove it.
The argument was added in [1]. It was added because having the arch
supply the syscall arguments used to be faster than having it done by
secure_computing() (cf. Andy's comment in [2]). This is not true anymore
though.
/* References */
[1]: 2f275de5d1
("seccomp: Add a seccomp_data parameter secure_computing()")
[2]: https://lore.kernel.org/r/CALCETrU_fs_At-hTpr231kpaAd0z7xJN4ku-DvzhRU6cvcJA_w@mail.gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Drewry <wad@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-parisc@vger.kernel.org
Cc: linux-s390@vger.kernel.org
Cc: linux-um@lists.infradead.org
Cc: x86@kernel.org
Acked-by: Borislav Petkov <bp@suse.de>
Acked-by: Andy Lutomirski <luto@kernel.org>
Link: https://lore.kernel.org/r/20190924064420.6353-1-christian.brauner@ubuntu.com
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
0eebfed295
commit
fefad9ef58
|
@ -923,7 +923,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
|
|||
|
||||
/* Do seccomp after ptrace; syscall may have changed. */
|
||||
#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
|
||||
if (secure_computing(NULL) == -1)
|
||||
if (secure_computing() == -1)
|
||||
return -1;
|
||||
#else
|
||||
/* XXX: remove this once OABI gets fixed */
|
||||
|
|
|
@ -1816,7 +1816,7 @@ int syscall_trace_enter(struct pt_regs *regs)
|
|||
}
|
||||
|
||||
/* Do the secure computing after ptrace; failures should be fast. */
|
||||
if (secure_computing(NULL) == -1)
|
||||
if (secure_computing() == -1)
|
||||
return -1;
|
||||
|
||||
if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
|
||||
|
|
|
@ -342,7 +342,7 @@ long do_syscall_trace_enter(struct pt_regs *regs)
|
|||
}
|
||||
|
||||
/* Do the secure computing check after ptrace. */
|
||||
if (secure_computing(NULL) == -1)
|
||||
if (secure_computing() == -1)
|
||||
return -1;
|
||||
|
||||
#ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS
|
||||
|
|
|
@ -856,7 +856,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
|
|||
}
|
||||
|
||||
/* Do the secure computing check after ptrace. */
|
||||
if (secure_computing(NULL)) {
|
||||
if (secure_computing()) {
|
||||
/* seccomp failures shouldn't expose any additional code. */
|
||||
return -1;
|
||||
}
|
||||
|
|
|
@ -35,7 +35,7 @@ void handle_syscall(struct uml_pt_regs *r)
|
|||
goto out;
|
||||
|
||||
/* Do the seccomp check after ptrace; failures should be fast. */
|
||||
if (secure_computing(NULL) == -1)
|
||||
if (secure_computing() == -1)
|
||||
goto out;
|
||||
|
||||
syscall = UPT_SYSCALL_NR(r);
|
||||
|
|
|
@ -222,7 +222,7 @@ bool emulate_vsyscall(unsigned long error_code,
|
|||
*/
|
||||
regs->orig_ax = syscall_nr;
|
||||
regs->ax = -ENOSYS;
|
||||
tmp = secure_computing(NULL);
|
||||
tmp = secure_computing();
|
||||
if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) {
|
||||
warn_bad_vsyscall(KERN_DEBUG, regs,
|
||||
"seccomp tried to change syscall nr or ip");
|
||||
|
|
|
@ -33,10 +33,10 @@ struct seccomp {
|
|||
|
||||
#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
|
||||
extern int __secure_computing(const struct seccomp_data *sd);
|
||||
static inline int secure_computing(const struct seccomp_data *sd)
|
||||
static inline int secure_computing(void)
|
||||
{
|
||||
if (unlikely(test_thread_flag(TIF_SECCOMP)))
|
||||
return __secure_computing(sd);
|
||||
return __secure_computing(NULL);
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
|
@ -59,7 +59,7 @@ struct seccomp { };
|
|||
struct seccomp_filter { };
|
||||
|
||||
#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
|
||||
static inline int secure_computing(struct seccomp_data *sd) { return 0; }
|
||||
static inline int secure_computing(void) { return 0; }
|
||||
#else
|
||||
static inline void secure_computing_strict(int this_syscall) { return; }
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue