archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-18 22:54:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

core/linux-odroid-c2 to 3.16.58-1

Browse source
This commit is contained in:
Kevin Mihelich 2018-10-02 00:46:53 +00:00
parent b9b4fdebff
commit 73938aebda
17 changed files with 85 additions and 583 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/linux-odroid-c2/0001-add-extra-errata-843419-build-flags.patch
View file

@ -1,7 +1,7 @@
From 967dd9cfe3e038b5e38ea402728f985e931d170f Mon Sep 17 00:00:00 2001
From 764e8c58a8feb1228d33dd5927f142f4567544ad Mon Sep 17 00:00:00 2001
From: Kevin Mihelich <kevin@archlinuxarm.org>
Date: Thu, 26 May 2016 06:29:07 -0600
Subject: [PATCH 01/16] add extra errata 843419 build flags
Subject: [PATCH 01/12] add extra errata 843419 build flags
---
arch/arm64/Makefile | 1 +
@ -20,5 +20,5 @@ index b92f401c3a86..733aedf927c7 100644
# Default value
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0002-arm64-Add-audit-support.patch
View file

@ -1,7 +1,7 @@
From 32e551d35640bb67e9f7655a499ffa9bf3a5ff69 Mon Sep 17 00:00:00 2001
From 479846fbc74c3d14375a648391e4d455838ee395 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Fri, 4 Jul 2014 08:28:30 +0100
Subject: [PATCH 02/16] arm64: Add audit support
Subject: [PATCH 02/12] arm64: Add audit support
On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.
@ -79,5 +79,5 @@ index 6f94bf3f28a9..c460caf7221d 100644
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARMEB (EM_ARM)
--
2.18.0
2.19.0

31
core/linux-odroid-c2/0007-random-introduce-getrandom-2-system-call.patch → core/linux-odroid-c2/0003-random-introduce-getrandom-2-system-call.patch
View file

@ -1,7 +1,7 @@
From 086a08b553a9c276154772f717cb586c636d6b49 Mon Sep 17 00:00:00 2001
From 156befeae94fd3e39a0450448cb9620671733e2f Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 17 Jul 2014 04:13:05 -0400
Subject: [PATCH 07/16] random: introduce getrandom(2) system call
Subject: [PATCH 03/12] random: introduce getrandom(2) system call
The getrandom(2) system call was requested by the LibreSSL Portable
developers. It is analoguous to the getentropy(2) system call in
@ -150,27 +150,28 @@ Reviewed-by: Zach Brown <zab@zabbo.net>
6 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
index cc4c8b448867..617d15fa1d6d 100644
index bfde7bf2a8fb..6ee46886e45f 100644
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -361,4 +361,5 @@
@@ -360,5 +360,6 @@
351 i386 sched_setattr sys_sched_setattr
352 i386 sched_getattr sys_sched_getattr
353 i386 renameat2 sys_renameat2
354 i386 seccomp sys_seccomp
+355 i386 getrandom sys_getrandom
356 i386 memfd_create sys_memfd_create
354 i386 seccomp sys_seccomp
diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
index a22cd271b891..ca2b9aa78c81 100644
index ef5b7d067b70..b187d43e9963 100644
--- a/arch/x86/syscalls/syscall_64.tbl
+++ b/arch/x86/syscalls/syscall_64.tbl
@@ -324,6 +324,7 @@
@@ -323,6 +323,7 @@
314 common sched_setattr sys_sched_setattr
315 common sched_getattr sys_sched_getattr
316 common renameat2 sys_renameat2
317 common seccomp sys_seccomp
+318 common getrandom sys_getrandom
319 common memfd_create sys_memfd_create
317 common seccomp sys_seccomp
#
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 692482b7c2fb..5d7e2b1cb09b 100644
--- a/drivers/char/random.c
@ -292,19 +293,19 @@ index 1e6977f03277..8597786ea362 100644
asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
const char __user *uargs);
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 4f1d521e0af3..11d11bc5c78f 100644
index 3fbb85170741..40310d399973 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -701,7 +701,8 @@ __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
@@ -700,7 +700,8 @@ __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
#define __NR_renameat2 276
__SYSCALL(__NR_renameat2, sys_renameat2)
#define __NR_seccomp 277
__SYSCALL(__NR_seccomp, sys_seccomp)
__SYSCALL(277, sys_ni_syscall)
-__SYSCALL(278, sys_ni_syscall)
+#define __NR_getrandom 278
+__SYSCALL(__NR_getrandom, sys_getrandom)
#define __NR_memfd_create 279
__SYSCALL(__NR_memfd_create, sys_memfd_create)
#define __NR_seccomp 280
diff --git a/include/uapi/linux/random.h b/include/uapi/linux/random.h
index fff3528a078f..3f93d1695e7f 100644
--- a/include/uapi/linux/random.h
@ -324,5 +325,5 @@ index fff3528a078f..3f93d1695e7f 100644
+
#endif /* _UAPI_LINUX_RANDOM_H */
--
2.18.0
2.19.0

58
core/linux-odroid-c2/0003-seccomp-create-internal-mode-setting-function.patch
View file

@ -1,58 +0,0 @@
From 73a08be22f457df505b9d2346b1e94b96e1ffae6 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 21 May 2014 15:02:11 -0700
Subject: [PATCH 03/16] seccomp: create internal mode-setting function
In preparation for having other callers of the seccomp mode setting
logic, split the prctl entry point away from the core logic that performs
seccomp mode setting.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
(cherry picked from commit d78ab02c2c194257a03355fbb79eb721b381d105)
---
kernel/seccomp.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index e2eb71b1e970..ef24e22c3d14 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -473,7 +473,7 @@ long prctl_get_seccomp(void)
}
/**
- * prctl_set_seccomp: configures current->seccomp.mode
+ * seccomp_set_mode: internal function for setting seccomp mode
* @seccomp_mode: requested mode to use
* @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
*
@@ -486,7 +486,7 @@ long prctl_get_seccomp(void)
*
* Returns 0 on success or -EINVAL on failure.
*/
-long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
+static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter)
{
long ret = -EINVAL;
@@ -517,3 +517,15 @@ long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
out:
return ret;
}
+
+/**
+ * prctl_set_seccomp: configures current->seccomp.mode
+ * @seccomp_mode: requested mode to use
+ * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
+ *
+ * Returns 0 on success or -EINVAL on failure.
+ */
+long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
+{
+ return seccomp_set_mode(seccomp_mode, filter);
+}
--
2.18.0

6
core/linux-odroid-c2/0008-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch → core/linux-odroid-c2/0004-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch
View file

@ -1,7 +1,7 @@
From d24768a36614bd5f547a60b9a1c64be707bd3a24 Mon Sep 17 00:00:00 2001
From 2274b1257028d9b5b64c0e53b3b6b937c6309577 Mon Sep 17 00:00:00 2001
From: Kevin Mihelich <kevin@archlinuxarm.org>
Date: Sun, 2 Sep 2018 15:57:10 -0600
Subject: [PATCH 08/16] Revert "arm64: compat: wire up memfd_create syscall for
Subject: [PATCH 04/12] Revert "arm64: compat: wire up memfd_create syscall for
aarch32"
This reverts commit 92c47b1c5b173365582c61229e50dd6477b3e8a4.
@ -27,5 +27,5 @@ index 75eacd239848..c8d8fc17bd5a 100644
/*
* Compat syscall numbers used by the AArch64 kernel.
--
2.18.0
2.19.0

67
core/linux-odroid-c2/0004-seccomp-extract-check-assign-mode-helpers.patch
View file

@ -1,67 +0,0 @@
From 3a8c560eb7c461639a6d2310c32be6434b962cf0 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 25 Jun 2014 15:38:02 -0700
Subject: [PATCH 04/16] seccomp: extract check/assign mode helpers
To support splitting mode 1 from mode 2, extract the mode checking and
assignment logic into common functions.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
(cherry picked from commit 1f41b450416e689b9b7c8bfb750a98604f687a9b)
---
kernel/seccomp.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index ef24e22c3d14..8ddb252835aa 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -194,7 +194,23 @@ static u32 seccomp_run_filters(int syscall)
}
return ret;
}
+#endif /* CONFIG_SECCOMP_FILTER */
+static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
+{
+ if (current->seccomp.mode && current->seccomp.mode != seccomp_mode)
+ return false;
+
+ return true;
+}
+
+static inline void seccomp_assign_mode(unsigned long seccomp_mode)
+{
+ current->seccomp.mode = seccomp_mode;
+ set_tsk_thread_flag(current, TIF_SECCOMP);
+}
+
+#ifdef CONFIG_SECCOMP_FILTER
/**
* seccomp_attach_filter: Attaches a seccomp filter to current.
* @fprog: BPF program to install
@@ -490,8 +506,7 @@ static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter)
{
long ret = -EINVAL;
- if (current->seccomp.mode &&
- current->seccomp.mode != seccomp_mode)
+ if (!seccomp_may_assign_mode(seccomp_mode))
goto out;
switch (seccomp_mode) {
@@ -512,8 +527,7 @@ static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter)
goto out;
}
- current->seccomp.mode = seccomp_mode;
- set_thread_flag(TIF_SECCOMP);
+ seccomp_assign_mode(seccomp_mode);
out:
return ret;
}
--
2.18.0

6
core/linux-odroid-c2/0009-arm64-Add-__NR_-definitions-for-compat-syscalls.patch → core/linux-odroid-c2/0005-arm64-Add-__NR_-definitions-for-compat-syscalls.patch
View file

@ -1,7 +1,7 @@
From e1309b7f35395eb0db94095e6abbbf25b3a16570 Mon Sep 17 00:00:00 2001
From fdd4e330df67076d0eb4c69f7ba94f467d70609f Mon Sep 17 00:00:00 2001
From: Catalin Marinas <catalin.marinas@arm.com>
Date: Thu, 30 Jan 2014 17:56:56 +0000
Subject: [PATCH 09/16] arm64: Add __NR_* definitions for compat syscalls
Subject: [PATCH 05/12] arm64: Add __NR_* definitions for compat syscalls
This patch adds __NR_* definitions to asm/unistd32.h, moves the
__NR_compat_* definitions to asm/unistd.h and removes all the explicit
@ -1276,5 +1276,5 @@ index 78039927c807..dc47e53e9e28 100644
static inline void
do_compat_cache_op(unsigned long start, unsigned long end, int flags)
--
2.18.0
2.19.0

126
core/linux-odroid-c2/0005-seccomp-split-mode-setting-routines.patch
View file

@ -1,126 +0,0 @@
From a4c3f708e3c96d147ec318eb7f5742fbe7cfb536 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 25 Jun 2014 15:55:25 -0700
Subject: [PATCH 05/16] seccomp: split mode setting routines
Separates the two mode setting paths to make things more readable with
fewer #ifdefs within function bodies.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
(cherry picked from commit 3b23dd12846215eff4afb073366b80c0c4d7543e)
---
kernel/seccomp.c | 71 ++++++++++++++++++++++++++++++++----------------
1 file changed, 48 insertions(+), 23 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 8ddb252835aa..d82359968d57 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -489,48 +489,66 @@ long prctl_get_seccomp(void)
}
/**
- * seccomp_set_mode: internal function for setting seccomp mode
- * @seccomp_mode: requested mode to use
- * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
- *
- * This function may be called repeatedly with a @seccomp_mode of
- * SECCOMP_MODE_FILTER to install additional filters. Every filter
- * successfully installed will be evaluated (in reverse order) for each system
- * call the task makes.
+ * seccomp_set_mode_strict: internal function for setting strict seccomp
*
* Once current->seccomp.mode is non-zero, it may not be changed.
*
* Returns 0 on success or -EINVAL on failure.
*/
-static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter)
+static long seccomp_set_mode_strict(void)
{
+ const unsigned long seccomp_mode = SECCOMP_MODE_STRICT;
long ret = -EINVAL;
if (!seccomp_may_assign_mode(seccomp_mode))
goto out;
- switch (seccomp_mode) {
- case SECCOMP_MODE_STRICT:
- ret = 0;
#ifdef TIF_NOTSC
- disable_TSC();
+ disable_TSC();
#endif
- break;
+ seccomp_assign_mode(seccomp_mode);
+ ret = 0;
+
+out:
+
+ return ret;
+}
+
#ifdef CONFIG_SECCOMP_FILTER
- case SECCOMP_MODE_FILTER:
- ret = seccomp_attach_user_filter(filter);
- if (ret)
- goto out;
- break;
-#endif
- default:
+/**
+ * seccomp_set_mode_filter: internal function for setting seccomp filter
+ * @filter: struct sock_fprog containing filter
+ *
+ * This function may be called repeatedly to install additional filters.
+ * Every filter successfully installed will be evaluated (in reverse order)
+ * for each system call the task makes.
+ *
+ * Once current->seccomp.mode is non-zero, it may not be changed.
+ *
+ * Returns 0 on success or -EINVAL on failure.
+ */
+static long seccomp_set_mode_filter(char __user *filter)
+{
+ const unsigned long seccomp_mode = SECCOMP_MODE_FILTER;
+ long ret = -EINVAL;
+
+ if (!seccomp_may_assign_mode(seccomp_mode))
+ goto out;
+
+ ret = seccomp_attach_user_filter(filter);
+ if (ret)
goto out;
- }
seccomp_assign_mode(seccomp_mode);
out:
return ret;
}
+#else
+static inline long seccomp_set_mode_filter(char __user *filter)
+{
+ return -EINVAL;
+}
+#endif
/**
* prctl_set_seccomp: configures current->seccomp.mode
@@ -541,5 +559,12 @@ out:
*/
long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
{
- return seccomp_set_mode(seccomp_mode, filter);
+ switch (seccomp_mode) {
+ case SECCOMP_MODE_STRICT:
+ return seccomp_set_mode_strict();
+ case SECCOMP_MODE_FILTER:
+ return seccomp_set_mode_filter(filter);
+ default:
+ return -EINVAL;
+ }
}
--
2.18.0

6
core/linux-odroid-c2/0010-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch → core/linux-odroid-c2/0006-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch
View file

@ -1,7 +1,7 @@
From 5523645bcf35e6d3142bcbf91679d4523e689df5 Mon Sep 17 00:00:00 2001
From 2cf4d2b54d73701c5afc7e3abdfd10a0f779a898 Mon Sep 17 00:00:00 2001
From: Will Deacon <will.deacon@arm.com>
Date: Mon, 11 Aug 2014 14:23:37 +0100
Subject: [PATCH 10/16] arm64: compat: wire up memfd_create and getrandom
Subject: [PATCH 06/12] arm64: compat: wire up memfd_create and getrandom
syscalls for aarch32
arch/arm/ just grew support for the new memfd_create and getrandom
@ -40,5 +40,5 @@ index e242600c4046..da1f06b535e3 100644
+#define __NR_memfd_create 385
+__SYSCALL(__NR_memfd_create, sys_memfd_create)
--
2.18.0
2.19.0

236
core/linux-odroid-c2/0006-seccomp-add-seccomp-syscall.patch
View file

@ -1,236 +0,0 @@
From 1d7729de997ef9ecb1c9eef1ccf8d191197f984c Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 25 Jun 2014 16:08:24 -0700
Subject: [PATCH 06/16] seccomp: add "seccomp" syscall
This adds the new "seccomp" syscall with both an "operation" and "flags"
parameter for future expansion. The third argument is a pointer value,
used with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must
be 0. This is functionally equivalent to prctl(PR_SET_SECCOMP, ...).
In addition to the TSYNC flag later in this patch series, there is a
non-zero chance that this syscall could be used for configuring a fixed
argument area for seccomp-tracer-aware processes to pass syscall arguments
in the future. Hence, the use of "seccomp" not simply "seccomp_add_filter"
for this syscall. Additionally, this syscall uses operation, flags,
and user pointer for arguments because strictly passing arguments via
a user pointer would mean seccomp itself would be unable to trivially
filter the seccomp syscall itself.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
(cherry picked from commit 48dc92b9fc3926844257316e75ba11eb5c742b2c)
---
arch/Kconfig | 1 +
arch/x86/syscalls/syscall_32.tbl | 1 +
arch/x86/syscalls/syscall_64.tbl | 1 +
include/linux/syscalls.h | 2 ++
include/uapi/asm-generic/unistd.h | 3 +-
include/uapi/linux/seccomp.h | 4 +++
kernel/seccomp.c | 55 ++++++++++++++++++++++++++++---
kernel/sys_ni.c | 3 ++
8 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index 94e811ef45f5..6ba80554149c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -321,6 +321,7 @@ config HAVE_ARCH_SECCOMP_FILTER
- secure_computing is called from a ptrace_event()-safe context
- secure_computing return value is checked and a return value of -1
results in the system call being skipped immediately.
+ - seccomp syscall wired up
config SECCOMP_FILTER
def_bool y
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
index 16209a990be7..cc4c8b448867 100644
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -360,4 +360,5 @@
351 i386 sched_setattr sys_sched_setattr
352 i386 sched_getattr sys_sched_getattr
353 i386 renameat2 sys_renameat2
+354 i386 seccomp sys_seccomp
356 i386 memfd_create sys_memfd_create
diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
index 9fdc507c0641..a22cd271b891 100644
--- a/arch/x86/syscalls/syscall_64.tbl
+++ b/arch/x86/syscalls/syscall_64.tbl
@@ -323,6 +323,7 @@
314 common sched_setattr sys_sched_setattr
315 common sched_getattr sys_sched_getattr
316 common renameat2 sys_renameat2
+317 common seccomp sys_seccomp
319 common memfd_create sys_memfd_create
#
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 9836e157fc5e..1e6977f03277 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -867,4 +867,6 @@ asmlinkage long sys_process_vm_writev(pid_t pid,
asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type,
unsigned long idx1, unsigned long idx2);
asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
+asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
+ const char __user *uargs);
#endif
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index b4588752d50f..4f1d521e0af3 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -699,7 +699,8 @@ __SYSCALL(__NR_sched_setattr, sys_sched_setattr)
__SYSCALL(__NR_sched_getattr, sys_sched_getattr)
#define __NR_renameat2 276
__SYSCALL(__NR_renameat2, sys_renameat2)
-__SYSCALL(277, sys_ni_syscall)
+#define __NR_seccomp 277
+__SYSCALL(__NR_seccomp, sys_seccomp)
__SYSCALL(278, sys_ni_syscall)
#define __NR_memfd_create 279
__SYSCALL(__NR_memfd_create, sys_memfd_create)
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index ac2dc9f72973..b258878ba754 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -10,6 +10,10 @@
#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
+/* Valid operations for seccomp syscall. */
+#define SECCOMP_SET_MODE_STRICT 0
+#define SECCOMP_SET_MODE_FILTER 1
+
/*
* All BPF programs must return a 32-bit value.
* The bottom 16-bits are for optional return data.
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index d82359968d57..d2596136b0d1 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -18,6 +18,7 @@
#include <linux/compat.h>
#include <linux/sched.h>
#include <linux/seccomp.h>
+#include <linux/syscalls.h>
/* #define SECCOMP_DEBUG 1 */
@@ -314,7 +315,7 @@ free_prog:
*
* Returns 0 on success and non-zero otherwise.
*/
-static long seccomp_attach_user_filter(char __user *user_filter)
+static long seccomp_attach_user_filter(const char __user *user_filter)
{
struct sock_fprog fprog;
long ret = -EFAULT;
@@ -517,6 +518,7 @@ out:
#ifdef CONFIG_SECCOMP_FILTER
/**
* seccomp_set_mode_filter: internal function for setting seccomp filter
+ * @flags: flags to change filter behavior
* @filter: struct sock_fprog containing filter
*
* This function may be called repeatedly to install additional filters.
@@ -527,11 +529,16 @@ out:
*
* Returns 0 on success or -EINVAL on failure.
*/
-static long seccomp_set_mode_filter(char __user *filter)
+static long seccomp_set_mode_filter(unsigned int flags,
+ const char __user *filter)
{
const unsigned long seccomp_mode = SECCOMP_MODE_FILTER;
long ret = -EINVAL;
+ /* Validate flags. */
+ if (flags != 0)
+ goto out;
+
if (!seccomp_may_assign_mode(seccomp_mode))
goto out;
@@ -544,12 +551,35 @@ out:
return ret;
}
#else
-static inline long seccomp_set_mode_filter(char __user *filter)
+static inline long seccomp_set_mode_filter(unsigned int flags,
+ const char __user *filter)
{
return -EINVAL;
}
#endif
+/* Common entry point for both prctl and syscall. */
+static long do_seccomp(unsigned int op, unsigned int flags,
+ const char __user *uargs)
+{
+ switch (op) {
+ case SECCOMP_SET_MODE_STRICT:
+ if (flags != 0 || uargs != NULL)
+ return -EINVAL;
+ return seccomp_set_mode_strict();
+ case SECCOMP_SET_MODE_FILTER:
+ return seccomp_set_mode_filter(flags, uargs);
+ default:
+ return -EINVAL;
+ }
+}
+
+SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags,
+ const char __user *, uargs)
+{
+ return do_seccomp(op, flags, uargs);
+}
+
/**
* prctl_set_seccomp: configures current->seccomp.mode
* @seccomp_mode: requested mode to use
@@ -559,12 +589,27 @@ static inline long seccomp_set_mode_filter(char __user *filter)
*/
long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
{
+ unsigned int op;
+ char __user *uargs;
+
switch (seccomp_mode) {
case SECCOMP_MODE_STRICT:
- return seccomp_set_mode_strict();
+ op = SECCOMP_SET_MODE_STRICT;
+ /*
+ * Setting strict mode through prctl always ignored filter,
+ * so make sure it is always NULL here to pass the internal
+ * check in do_seccomp().
+ */
+ uargs = NULL;
+ break;
case SECCOMP_MODE_FILTER:
- return seccomp_set_mode_filter(filter);
+ op = SECCOMP_SET_MODE_FILTER;
+ uargs = filter;
+ break;
default:
return -EINVAL;
}
+
+ /* prctl interface doesn't have flags, so they are always zero. */
+ return do_seccomp(op, 0, uargs);
}
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index 489a4e6498c7..1f79e3714533 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -214,3 +214,6 @@ cond_syscall(compat_sys_open_by_handle_at);
/* compare kernel pointers */
cond_syscall(sys_kcmp);
+
+/* operate on Secure Computing state */
+cond_syscall(sys_seccomp);
--
2.18.0

6
core/linux-odroid-c2/0011-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch → core/linux-odroid-c2/0007-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch
View file

@ -1,7 +1,7 @@
From 596747f36cc455e99f5e6d1b87177e4b208c0c2b Mon Sep 17 00:00:00 2001
From 896ccdd6bccc7698324c19c013f8fedd72142484 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:40 +0900
Subject: [PATCH 11/16] arm64: ptrace: add PTRACE_SET_SYSCALL
Subject: [PATCH 07/12] arm64: ptrace: add PTRACE_SET_SYSCALL
To allow tracer to be able to change/skip a system call by re-writing
a syscall number, there are several approaches:
@ -60,5 +60,5 @@ index 53bdc598d1c1..6ef1e17d9c5b 100644
enum ptrace_syscall_dir {
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0012-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch → core/linux-odroid-c2/0008-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch
View file

@ -1,7 +1,7 @@
From 5581ff348660d98cfa0348492a0ee89749829460 Mon Sep 17 00:00:00 2001
From 5bc061f95e03ba00911ebd2f9c1175404a5a9107 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:41 +0900
Subject: [PATCH 12/16] arm64: ptrace: allow tracer to skip a system call
Subject: [PATCH 08/12] arm64: ptrace: allow tracer to skip a system call
If tracer specifies -1 as a syscall number, this traced system call should
be skipped with a value in x0 used as a return value.
@ -118,5 +118,5 @@ index 6ef1e17d9c5b..b29b82576f82 100644
trace_sys_enter(regs, regs->syscallno);
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0013-asm-generic-add-generic-seccomp.h-for-secure-computi.patch → core/linux-odroid-c2/0009-asm-generic-add-generic-seccomp.h-for-secure-computi.patch
View file

@ -1,7 +1,7 @@
From b8315a43bf6d555219e1e1f3120ce9a43127f6f2 Mon Sep 17 00:00:00 2001
From 33d1d7d4357a9e1ee645999aeb81692a72c55ac5 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:42 +0900
Subject: [PATCH 13/16] asm-generic: add generic seccomp.h for secure computing
Subject: [PATCH 09/12] asm-generic: add generic seccomp.h for secure computing
mode 1
Those values (__NR_seccomp_*) are used solely in secure_computing()
@ -51,5 +51,5 @@ index 000000000000..5e9702219646
+
+#endif /* _ASM_GENERIC_SECCOMP_H */
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0014-arm64-add-seccomp-syscall-for-compat-task.patch → core/linux-odroid-c2/0010-arm64-add-seccomp-syscall-for-compat-task.patch
View file

@ -1,7 +1,7 @@
From 62586df3e9ea30c886028731b1c34f21da367b99 Mon Sep 17 00:00:00 2001
From 54dc300a835692fc2550fd93a003ca98426b2a68 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:43 +0900
Subject: [PATCH 14/16] arm64: add seccomp syscall for compat task
Subject: [PATCH 10/12] arm64: add seccomp syscall for compat task
This patch allows compat task to issue seccomp() system call.
@ -26,5 +26,5 @@ index da1f06b535e3..812f19212b23 100644
__SYSCALL(__NR_getrandom, sys_getrandom)
#define __NR_memfd_create 385
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0015-arm64-add-SIGSYS-siginfo-for-compat-task.patch → core/linux-odroid-c2/0011-arm64-add-SIGSYS-siginfo-for-compat-task.patch
View file

@ -1,7 +1,7 @@
From ccf3528a3dae6bf48bd83b81068d1e2550b00519 Mon Sep 17 00:00:00 2001
From 9f2fec8ec46e47f04673276363af290ddfef1b89 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:44 +0900
Subject: [PATCH 15/16] arm64: add SIGSYS siginfo for compat task
Subject: [PATCH 11/12] arm64: add SIGSYS siginfo for compat task
SIGSYS is primarily used in secure computing to notify tracer.
This patch allows signal handler on compat task to get correct information
@ -52,5 +52,5 @@ index 327a68c915e2..2b53747bc87f 100644
err |= __put_user(from->si_pid, &to->si_pid);
err |= __put_user(from->si_uid, &to->si_uid);
--
2.18.0
2.19.0

6
core/linux-odroid-c2/0016-arm64-add-seccomp-support.patch → core/linux-odroid-c2/0012-arm64-add-seccomp-support.patch
View file

@ -1,7 +1,7 @@
From b0654bbead447c3d21f9690ebb1f88cc176510f7 Mon Sep 17 00:00:00 2001
From 0dd13dc36db6d265fe75d054748e94c8bac5821e Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Thu, 21 Aug 2014 17:56:45 +0900
Subject: [PATCH 16/16] arm64: add seccomp support
Subject: [PATCH 12/12] arm64: add seccomp support
secure_computing() is called first in syscall_trace_enter() so that a system
call will be aborted quickly without doing succeeding syscall tracing,
@ -148,5 +148,5 @@ index b29b82576f82..984efa14d2b0 100644
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
--
2.18.0
2.19.0

84
core/linux-odroid-c2/PKGBUILD
View file

@ -4,12 +4,12 @@
buildarch=8
pkgbase=linux-odroid-c2
_commit=a47cdcd05b6439422bf50409f1f09485dcc7b7b6
_commit=d173487745bbe78f2a20f954baa5d50c449dde86
_srcname=linux-${_commit}
_kernelname=${pkgbase#linux}
_desc="ODROID-C2"
pkgver=3.16.57
pkgrel=2
pkgver=3.16.58
pkgrel=1
arch=('aarch64')
url="https://github.com/hardkernel/linux/tree/odroidc2-v3.16.y"
license=('GPL2')
@ -19,43 +19,35 @@ source=("https://github.com/hardkernel/linux/archive/${_commit}.tar.gz"
"git+https://github.com/mdrjr/c2_bootini.git"
'0001-add-extra-errata-843419-build-flags.patch'
'0002-arm64-Add-audit-support.patch'
'0003-seccomp-create-internal-mode-setting-function.patch'
'0004-seccomp-extract-check-assign-mode-helpers.patch'
'0005-seccomp-split-mode-setting-routines.patch'
'0006-seccomp-add-seccomp-syscall.patch'
'0007-random-introduce-getrandom-2-system-call.patch'
'0008-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch'
'0009-arm64-Add-__NR_-definitions-for-compat-syscalls.patch'
'0010-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch'
'0011-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch'
'0012-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch'
'0013-asm-generic-add-generic-seccomp.h-for-secure-computi.patch'
'0014-arm64-add-seccomp-syscall-for-compat-task.patch'
'0015-arm64-add-SIGSYS-siginfo-for-compat-task.patch'
'0016-arm64-add-seccomp-support.patch'
'0003-random-introduce-getrandom-2-system-call.patch'
'0004-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch'
'0005-arm64-Add-__NR_-definitions-for-compat-syscalls.patch'
'0006-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch'
'0007-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch'
'0008-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch'
'0009-asm-generic-add-generic-seccomp.h-for-secure-computi.patch'
'0010-arm64-add-seccomp-syscall-for-compat-task.patch'
'0011-arm64-add-SIGSYS-siginfo-for-compat-task.patch'
'0012-arm64-add-seccomp-support.patch'
'config'
'linux.preset'
'amlogic.service'
'60-linux.hook'
'90-linux.hook')
md5sums=('4ffd9e836370aea16f80e6798b969126'
md5sums=('1a14b75091f8327be3817129119db3a3'
'SKIP'
'56a53a0d56aa3a5ce0216a3290330053'
'23faa3d2228df60055e6d97e469cda8a'
'76493c97d174f7335a06516f0a24963b'
'4b822e81df5b1fe73fdb41c9852acfcb'
'9c8ae0d353008865492127314f3d08c7'
'3917a53be38bc28bd0acb16e6b708cf2'
'9b7eaba53b7818755905520ecea48453'
'4c304791ebe3a6161607031b641d49cf'
'd2df633f89b8e71d7d26333d70402d48'
'3baef2320266f060500de675b244948d'
'1b2cb9b6b817ca7e4854505248377197'
'250a0171b48c8e8b36667b211b3e6658'
'18675fe029a96d5c6191c5253a1ec1a5'
'b575d1884647589eae89d7736d990744'
'00e5ddbaaac55e40a700c51a6756b8de'
'cf59798a64257ce44c8b928e1abf4db2'
'adbecf48248cd62a5bd322750720b88b'
'2e1437a81bdaa1ca68bb1c3f69e0548b'
'1fce163f6150b1aef41130c9ecdc5176'
'c4ba9805056695882dea242349828471'
'196c8c0a09ee71b5c4c82151250d12e0'
'49b639f692d74496639983d87119243c'
'793201fe1c65ff5e329f07be117d62d8'
'4d9652a4606e23d8c3164ef19c20c40a'
'541caea2544547106ec78feb10709f7b'
'4d9a6300858f2039f1c33fbdb54c8df5'
'8c22925423abc152c24c8e120b9a9fb1'
'e1449557cf7ff2d17398e8d36708cf61'
'ea5d396fa0db628eb305eb15a72b64dc'
'86d4a35722b5410e3b29fc92dae15d4b'
'b8956789318f49cec5b8bb0b41654a9b'
@ -75,20 +67,16 @@ prepare() {
git apply ../0001-add-extra-errata-843419-build-flags.patch
git apply ../0002-arm64-Add-audit-support.patch
git apply ../0003-seccomp-create-internal-mode-setting-function.patch
git apply ../0004-seccomp-extract-check-assign-mode-helpers.patch
git apply ../0005-seccomp-split-mode-setting-routines.patch
git apply ../0006-seccomp-add-seccomp-syscall.patch
git apply ../0007-random-introduce-getrandom-2-system-call.patch
git apply ../0008-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch
git apply ../0009-arm64-Add-__NR_-definitions-for-compat-syscalls.patch
git apply ../0010-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch
git apply ../0011-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch
git apply ../0012-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch
git apply ../0013-asm-generic-add-generic-seccomp.h-for-secure-computi.patch
git apply ../0014-arm64-add-seccomp-syscall-for-compat-task.patch
git apply ../0015-arm64-add-SIGSYS-siginfo-for-compat-task.patch
git apply ../0016-arm64-add-seccomp-support.patch
git apply ../0003-random-introduce-getrandom-2-system-call.patch
git apply ../0004-Revert-arm64-compat-wire-up-memfd_create-syscall-for.patch
git apply ../0005-arm64-Add-__NR_-definitions-for-compat-syscalls.patch
git apply ../0006-arm64-compat-wire-up-memfd_create-and-getrandom-sysc.patch
git apply ../0007-arm64-ptrace-add-PTRACE_SET_SYSCALL.patch
git apply ../0008-arm64-ptrace-allow-tracer-to-skip-a-system-call.patch
git apply ../0009-asm-generic-add-generic-seccomp.h-for-secure-computi.patch
git apply ../0010-arm64-add-seccomp-syscall-for-compat-task.patch
git apply ../0011-arm64-add-SIGSYS-siginfo-for-compat-task.patch
git apply ../0012-arm64-add-seccomp-support.patch
}
build() {