On Tue, Sep 26, 2017 at 10:15 PM, Tycho Andersen wrote:
> Hi,
>
> On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
>> On 09/21, Kees Cook wrote:
>> > Can you resend the two patches; I can send the backport to -stable
>> > manually...
>>
>> Not sure I understand...
On Tue, Sep 26, 2017 at 10:15 PM, Tycho Andersen wrote:
> Hi,
>
> On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
>> On 09/21, Kees Cook wrote:
>> > Can you resend the two patches; I can send the backport to -stable
>> > manually...
>>
>> Not sure I understand... Do you mean this
Hi,
On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
> On 09/21, Kees Cook wrote:
> > Can you resend the two patches; I can send the backport to -stable
> > manually...
>
> Not sure I understand... Do you mean this fix + untested "introduce
> get_nth_filter()" ?
Just want to
Hi,
On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
> On 09/21, Kees Cook wrote:
> > Can you resend the two patches; I can send the backport to -stable
> > manually...
>
> Not sure I understand... Do you mean this fix + untested "introduce
> get_nth_filter()" ?
Just want to
On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
> On 09/21, Kees Cook wrote:
> >
> > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> > > On 09/20, Kees Cook wrote:
> > >>
> > >> Given how reference counting is done for filters, I'd be happier with
> > >>
On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote:
> On 09/21, Kees Cook wrote:
> >
> > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> > > On 09/20, Kees Cook wrote:
> > >>
> > >> Given how reference counting is done for filters, I'd be happier with
> > >> leaving the
On 09/21, Kees Cook wrote:
>
> On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> > On 09/20, Kees Cook wrote:
> >>
> >> Given how reference counting is done for filters, I'd be happier with
> >> leaving the get_seccomp_filter() as-is,
> >
> > No, please note that filter !=
On 09/21, Kees Cook wrote:
>
> On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> > On 09/20, Kees Cook wrote:
> >>
> >> Given how reference counting is done for filters, I'd be happier with
> >> leaving the get_seccomp_filter() as-is,
> >
> > No, please note that filter !=
On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> On 09/20, Kees Cook wrote:
>>
>> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
>> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
>> > unsigned long filter_off,
>> >
On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote:
> On 09/20, Kees Cook wrote:
>>
>> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
>> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
>> > unsigned long filter_off,
>> > if (!data)
>> >
On 09/20, Kees Cook wrote:
>
> I like doing these sanity checks -- this isn't fast-path at all.
Yes, but see another "introduce get_nth_filter()" cleanup I sent, it is
similar but more suitable for Tycho's "retrieving seccomp flags" patch.
> > + for (filter = orig; count > 1; filter =
On 09/20, Kees Cook wrote:
>
> I like doing these sanity checks -- this isn't fast-path at all.
Yes, but see another "introduce get_nth_filter()" cleanup I sent, it is
similar but more suitable for Tycho's "retrieving seccomp flags" patch.
> > + for (filter = orig; count > 1; filter =
On 09/20, Kees Cook wrote:
>
> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> > unsigned long filter_off,
> > if (!data)
> > goto out;
> >
> > -
On 09/20, Kees Cook wrote:
>
> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> > unsigned long filter_off,
> > if (!data)
> > goto out;
> >
> > - get_seccomp_filter(task);
> > +
On Wed, Sep 20, 2017 at 6:04 AM, Oleg Nesterov wrote:
> On 09/20, Oleg Nesterov wrote:
>>
>> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
>> unsigned long filter_off,
>> if (!data)
>> goto out;
>>
>> - get_seccomp_filter(task);
On Wed, Sep 20, 2017 at 6:04 AM, Oleg Nesterov wrote:
> On 09/20, Oleg Nesterov wrote:
>>
>> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
>> unsigned long filter_off,
>> if (!data)
>> goto out;
>>
>> - get_seccomp_filter(task);
>> +
On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
> As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
> use the different filters, once we drop ->siglock task->seccomp.filter
> can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
>
> Fixes: f8e529ed941b ("seccomp,
On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote:
> As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
> use the different filters, once we drop ->siglock task->seccomp.filter
> can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
>
> Fixes: f8e529ed941b ("seccomp, ptrace: add
On Wed, Sep 20, 2017 at 03:04:43PM +0200, Oleg Nesterov wrote:
> On 09/20, Oleg Nesterov wrote:
> >
> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> > unsigned long filter_off,
> > if (!data)
> > goto out;
> >
> > - get_seccomp_filter(task);
> > +
On Wed, Sep 20, 2017 at 03:04:43PM +0200, Oleg Nesterov wrote:
> On 09/20, Oleg Nesterov wrote:
> >
> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> > unsigned long filter_off,
> > if (!data)
> > goto out;
> >
> > - get_seccomp_filter(task);
> > +
On Wed, Sep 20, 2017 at 02:56:21PM +0200, Oleg Nesterov wrote:
> As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
> use the different filters, once we drop ->siglock task->seccomp.filter
> can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
>
> Fixes: f8e529ed941b ("seccomp, ptrace:
On Wed, Sep 20, 2017 at 02:56:21PM +0200, Oleg Nesterov wrote:
> As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
> use the different filters, once we drop ->siglock task->seccomp.filter
> can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
>
> Fixes: f8e529ed941b ("seccomp, ptrace:
On 09/20, Oleg Nesterov wrote:
>
> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> unsigned long filter_off,
> if (!data)
> goto out;
>
> - get_seccomp_filter(task);
> + refcount_inc(>usage);
> spin_unlock_irq(>sighand->siglock);
>
>
On 09/20, Oleg Nesterov wrote:
>
> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task,
> unsigned long filter_off,
> if (!data)
> goto out;
>
> - get_seccomp_filter(task);
> + refcount_inc(>usage);
> spin_unlock_irq(>sighand->siglock);
>
>
As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
use the different filters, once we drop ->siglock task->seccomp.filter
can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters")
Reported-by: Chris Salls
As Chris explains, get_seccomp_filter() and put_seccomp_filter() can
use the different filters, once we drop ->siglock task->seccomp.filter
can be replaced by SECCOMP_FILTER_FLAG_TSYNC.
Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters")
Reported-by: Chris Salls
Cc:
26 matches
Mail list logo