linux/fs/proc
YiFei Zhu 0d8315dddd seccomp/cache: Report cache data through /proc/pid/seccomp_cache
Currently the kernel does not provide an infrastructure to translate
architecture numbers to a human-readable name. Translating syscall
numbers to syscall names is possible through FTRACE_SYSCALL
infrastructure but it does not provide support for compat syscalls.

This will create a file for each PID as /proc/pid/seccomp_cache.
The file will be empty when no seccomp filters are loaded, or be
in the format of:
<arch name> <decimal syscall number> <ALLOW | FILTER>
where ALLOW means the cache is guaranteed to allow the syscall,
and filter means the cache will pass the syscall to the BPF filter.

For the docker default profile on x86_64 it looks like:
x86_64 0 ALLOW
x86_64 1 ALLOW
x86_64 2 ALLOW
x86_64 3 ALLOW
[...]
x86_64 132 ALLOW
x86_64 133 ALLOW
x86_64 134 FILTER
x86_64 135 FILTER
x86_64 136 FILTER
x86_64 137 ALLOW
x86_64 138 ALLOW
x86_64 139 FILTER
x86_64 140 ALLOW
x86_64 141 ALLOW
[...]

This file is guarded by CONFIG_SECCOMP_CACHE_DEBUG with a default
of N because I think certain users of seccomp might not want the
application to know which syscalls are definitely usable. For
the same reason, it is also guarded by CAP_SYS_ADMIN.

Suggested-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/lkml/CAG48ez3Ofqp4crXGksLmZY6=fGrF_tWyUCg7PBkAetvbbOPeOA@mail.gmail.com/
Signed-off-by: YiFei Zhu <yifeifz2@illinois.edu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/94e663fa53136f5a11f432c661794d1ee7060779.1605101222.git.yifeifz2@illinois.edu
2020-11-20 11:16:35 -08:00
..
array.c seccomp: Report number of loaded filters in /proc/$pid/status 2020-07-10 16:01:51 -07:00
base.c seccomp/cache: Report cache data through /proc/pid/seccomp_cache 2020-11-20 11:16:35 -08:00
bootconfig.c proc/bootconfig: Fix to use correct quotes for value 2020-06-16 21:21:03 -04:00
cmdline.c
consoles.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 191 2019-05-30 11:29:21 -07:00
cpuinfo.c proc/cpuinfo: switch to ->read_iter 2020-11-06 10:05:18 -08:00
devices.c block: move block-related definitions out of fs.h 2020-06-24 09:16:02 -06:00
fd.c proc: use "unsigned int" in proc_fill_cache() 2018-06-07 17:34:38 -07:00
fd.h
generic.c proc "seq files": switch to ->read_iter 2020-11-06 10:05:18 -08:00
inode.c proc: wire up generic_file_splice_read for iter ops 2020-11-06 10:05:18 -08:00
internal.h proc: faster open/read/close with "permanent" files 2020-04-07 10:43:42 -07:00
interrupts.c
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
kcore.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
kmsg.c proc: faster open/read/close with "permanent" files 2020-04-07 10:43:42 -07:00
loadavg.c sched: loadavg: consolidate LOAD_INT, LOAD_FRAC, CALC_LOAD 2018-10-26 16:26:32 -07:00
Makefile proc: bootconfig: Add /proc/bootconfig to show boot config list 2020-01-13 13:19:39 -05:00
meminfo.c proc/meminfo: avoid open coded reading of vm_committed_as 2020-08-07 11:33:26 -07:00
namespaces.c Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-01-29 11:20:24 -08:00
nommu.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
page.c mm: Add PG_arch_2 page flag 2020-09-04 12:46:06 +01:00
proc_net.c bpf: Refactor to provide aux info to bpf_iter_init_seq_priv_t 2020-07-25 20:16:32 -07:00
proc_sysctl.c sysctl: Convert to iter interfaces 2020-09-08 22:20:39 -04:00
proc_tty.c
root.c proc: s_fs_info may be NULL when proc_kill_sb is called 2020-06-10 14:54:54 -05:00
self.c proc: Use new_inode not new_inode_pseudo 2020-06-12 14:13:33 -05:00
softirqs.c
stat.c proc/stat: switch to ->read_iter 2020-11-06 10:05:18 -08:00
task_mmu.c mm: remove the now-unnecessary mmget_still_valid() hack 2020-10-16 11:11:22 -07:00
task_nommu.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thread_self.c proc: Use new_inode not new_inode_pseudo 2020-06-12 14:13:33 -05:00
uptime.c fs/proc: Respect boottime inside time namespace for /proc/uptime 2020-01-14 12:20:56 +01:00
util.c fs/proc/util.c: include fs/proc/internal.h for name_to_int() 2019-01-04 13:13:45 -08:00
version.c
vmcore.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00