From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B84F72D8795 for ; Wed, 15 Jul 2026 21:20:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784150437; cv=none; b=cFCPOxuiommYOGafkua8sDQ+WA53P1OJKsJ3/LGJqa1trKSMlw0HLfKUuN0ZA7xExxhERJ46j3eUpYHaos2pYnoGRfkSfVTrUReXT5WQXce0oEuEt8t9GjAQkK3LNaVEvoAqIV4ENBVI3hDi/wlILibKtn88Y1F4I/OHFTriwfg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784150437; c=relaxed/simple; bh=ppuk4O6MDISwoxjK0N5bs6hggs+6RgfIXQs+R5dEs6E=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=b0TlIJxB1z8qiTjrqQNEYyJeG0qGuuDOISvWpn/0v0Xm33fT6v+PbAmcWCNROnyrfnOZw1vjn5x9jP/l+30q2gbpA2GYlIFW2RGmzB9uoW7tEuFbP9baoobbLJBg9XoGGM/d7yZi6EMw3LPtTfgD7QwfF1HWwNjqT5Y7y4ax4ms= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EO3sLmkF; arc=none smtp.client-ip=209.85.215.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EO3sLmkF" Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-c981c2c37cbso3515271a12.0 for ; Wed, 15 Jul 2026 14:20:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1784150435; x=1784755235; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=uvApJC4hlWJ2HRy6vNlmo9w7JR5aRmbiePyhaflAwRM=; b=EO3sLmkF1H40+gfYYrkM2FU7zvFLPRV1RRmOmicF/MaGdOOQrTlz7ldJXzwBGeknXs +bab09CnWY8m5PfsC8SJfABDxTcshITUDCRxCFcGuKn9V6U/mW4VQqQf9o8eKmLClH+p B2XRmdMQNNfCBNQPhuNQTXXb0FaEUyBCAdWiP7nRHnYkWreN0BSz+qz5byzsmiwCqTgD I/zNgFZ4vTCKdUZsF1xvXbQhaSpQTWwY7Xt5y+Y/9bMmRH8yU5EDI5SA+Kaz76T8zQKi 3XxPSnUaELPSjRAkyAnOOaz75zaMzOzMWjYAl5epqFNi0YDNlaw0/RxPZO/2HIu4yx5V GVlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784150435; x=1784755235; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=uvApJC4hlWJ2HRy6vNlmo9w7JR5aRmbiePyhaflAwRM=; b=Ouy7jiIRrBP1wOY0AZPMofJBClacaOoIevI8nxAr27sL0abHwLL/klCRzZ/xA5IJDL l2i5Pk8rqRxUxALLggagTd/jOZ5FzsvKUZ607gwZ/p23zmp+463p77aZdbIuFdZuRTUn g4Y/lkafUgg1b1YaCYv1kddToEMgyQ8a8usU81rv7nyavLL6SE6fq1W3QXot0yH0qZt2 z/h048Z1wtIcSOQrV4JuJDPWmdqnSqZtp97rWIpRPhjeAYWNqo4ZjJc9SgBiwyBkdle3 25Y//cCqskXnB9IZIDB/0SHgRAinOkvrfMfE7Alu2EN5xL88pMl2+LMypy0sB7tyGigX dhig== X-Forwarded-Encrypted: i=1; AHgh+RqI+a6/PyYqvsNFMsC4/GoaUIfjz7D4Du3YQrAogJq6Hrp1TOZ5xJu2sgRvokzWrAab/29QYQBzSpYEp8U=@vger.kernel.org X-Gm-Message-State: AOJu0Yz5JHPztZ2jqUF9MihV4CNg/7M1FKoC2bEut6FnKdtnykEuna9G X52/e63sWIOnGvaQRAukkDCzPsHVPwLDOXh/lnzbUEH7MH2N+W74mCLw X-Gm-Gg: AfdE7clRi7gOSi8mSj4Ep+b0CJPE4ZUrbE26ZXdb9CJNpIZ8OiirjbKFtYA2RM9JGHi E0Z8WNoERNy9rv7tjG6rluheCJMO8Jf2Qlj+vjb9//wPZcWydIW5BFzPM7xdEj4ToFajI/eCVgg r3v+ZB7gL3SkoI2SA5AfTZGCHG4034FztzKA+exPNJ5Dm21eQYlsqOvDos+w755O0eXnXpl8krK OZEXrIhIupWNnWrtUqLiHI6GnR2eiaDLARaLUpDg+a7HrtRGfvcDG1G/QgmD3b3CgHAZYVpkxrL Zyxgvxg3qn5rpA2a9z4yH+OLOmQqZpVnWcN6x1PTfWIvLNkjNAtwfCXrStvPGRUtyb6+CqSd8bU g3XDpLeZfcfH0FQQ8AkAb1yiAgcuvs6dKHY1RbRy6fmVkmVEPwT+0sefu2qPBXySR3/XAk9Y2JL oSU/PcWVJEcxEGOfAEaCQ1ICgtWmZdQnhcHLhv+TNBkSectyVa5FL3IUmlgw== X-Received: by 2002:a05:6a20:c6c9:b0:3bd:3800:7538 with SMTP id adf61e73a8af0-3c35707e50dmr8171448637.33.1784150434746; Wed, 15 Jul 2026 14:20:34 -0700 (PDT) Received: from pop-os.tail4adac7.ts.net ([129.210.115.107]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-13cd403a7f7sm4126844c88.0.2026.07.15.14.20.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jul 2026 14:20:33 -0700 (PDT) From: Cong Wang To: Andy Lutomirski Cc: Kees Cook , linux-kernel@vger.kernel.org, Will Drewry , Christian Brauner , Andrew Morton , linux-mm@kvack.org, Cong Wang , Cong Wang Subject: [PATCH v6 0/8] seccomp: non-cooperative pinned-memfd argument redirect Date: Wed, 15 Jul 2026 14:19:59 -0700 Message-ID: <20260715212007.2382846-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The seccomp user-notification SECCOMP_USER_NOTIF_FLAG_CONTINUE response carries an inherent TOCTOU: once the supervisor decides to let a syscall continue, the target (or a CLONE_VM peer) can rewrite the memory behind a pointer argument before the kernel reads it. This is documented in the UAPI header and is why the notifier "cannot be used to implement a security policy" today. The cooperative way around this is for the target to map a shared memfd and mseal() it during a trusted setup window, so the supervisor can hand the kernel an immutable buffer. That window does not exist for the common fork()+execve() sandbox model, where the supervisor wants to confine an uncooperative (or legacy) binary it did not write. This series lets the supervisor close the TOCTOU without any target-side cooperation: - The kernel installs a sealed, read-only, MAP_SHARED mapping of a supervisor-owned memfd directly into the trapped task's mm (SECCOMP_IOCTL_NOTIF_PIN_INSTALL). The mapping is VM_SEALED at creation, so neither the target nor a CLONE_VM peer can unmap, remap, mprotect or MAP_FIXED-stomp it. The backing memfd must be write-sealed (F_SEAL_WRITE / F_SEAL_FUTURE_WRITE), so its bytes cannot be rewritten through any other reference either; the supervisor stages the argument data through its own pre-seal mapping. - The supervisor then resumes the syscall with selected argument registers rewritten (SECCOMP_IOCTL_NOTIF_SEND_REDIRECT), the pointer ones aimed into a pin. Each pointer substitution is validated so the whole access [ptr, ptr+len) lies inside a sealed, read-only pin of the supervisor's memfd that still lives in the target's current mm; original registers are restored at syscall exit for ABI compliance. Because the data the kernel acts on lives in an immutable pin, the target can no longer win the race. execve() is handled as a first-class case: its pathname is copied from the pin before the old mm is torn down, and the register-restore is skipped once the program image has been replaced (detected via self_exec_id). A redirected syscall is re-validated against the outer filters in the target's filter chain, so an inner notifier cannot use a redirect to smuggle a syscall past a policy an outer filter enforces (e.g. redirect to a blocked unshare()); see patch 6. sandlock [1], a non-cooperative seccomp sandbox supervisor, will use this to enforce argument-level policy on uncooperative targets. [1] https://github.com/multikernel/sandlock Patch 1 passes the target mm through the get_unmapped_area family, so a placement can be computed in another task's address space. Patch 2 adds __do_mmap(), a variant of do_mmap() that targets a caller-supplied mm (do_mmap() stays a current->mm wrapper, so no existing caller changes), and vm_mmap_remote()/vm_munmap_remote(), high-level helpers for installing and removing the sealed pin. Patch 3 adds PIN_INSTALL, patch 4 adds the __NR_seccomp_* syscall aliases, patch 5 adds SEND_REDIRECT, patch 6 adds the outer-filter re-validation, patch 7 documents the ABI, and patch 8 adds selftests. Changes since v5: - New patch 1: pass the target mm through the get_unmapped_area family, split out of the old mm patch. - The __NR_seccomp_* aliases (patch 4) are now gated behind a SECCOMP_ARCH_REDIRECT opt-in - Reworked the re-validation (patch 6) into a self-contained walk, seccomp_redirect_revalidate(), instead of re-entering __seccomp_filter() with ugly goto's. - Selftests: two new tests. redirect_outer_trace: an attached tracer must not receive a PTRACE_EVENT_SECCOMP for the substituted call and the target sees ENOSYS. redirect_outer_notify: an outer listener-less USER_NOTIF verdict still blocks the substituted call with ENOSYS. - Fixed other reasonable issues reported by sashiko - Fixed document warnings reported by kernel test robot Changes since v4: - Fixed READ_IMPLIES_EXEC and VM warning in patch 1 - Fixed TRACE re-validation case in patch 5 - New patch 3: split the __NR_seccomp_* syscall aliases (arch- overridable, covering rt_sigreturn and the clone/fork family) into their own patch; x86 maps the compat (ia32) numbers. - SEND_REDIRECT now also refuses the clone/fork family (clone, clone3, fork, vfork) with -EOPNOTSUPP, not just rt_sigreturn: rewriting a task-creating syscall's registers has no use case and is unsafe. - Renamed vm_mmap_seal_remote() to vm_mmap_remote() and added the vm_munmap_remote() counterpart (patch 1). - vm_mmap_remote() now bounds the mapping within the target mm's own address space with an overflow-safe task_size check, including the caller-supplied fixed-address path. - Compat: for SECCOMP_ARCH_COMPAT targets, redirected pointer arguments are truncated to 32 bits before the pin range is validated. - Selftests: two new tests -- redirect_denied_syscalls (rt_sigreturn and the clone/fork family are all rejected with -EOPNOTSUPP) and redirect_revalidate_chain (the re-validation walks the entire outer filter stack, not just the nearest filter); plus error-path hardening so a broken kernel fails or skips rather than hanging. Changes since v3: - Split the single seccomp patch into PIN_INSTALL (patch 2) and SEND_REDIRECT (patch 4) for reviewability. - New patch 5: re-validate a redirected syscall against the outer filters in the stack, closing the bypass Andy described (an inner notifier redirecting to a syscall an outer filter blocks, e.g. unshare()). - Signals: the argument restore now runs before signal/restart processing. It is queued as task_work with TWA_RESUME -- not the TWA_SIGNAL discussed on-list, which makes signal_pending() true for the whole redirected syscall and livelocks an interruptible one. TWA_RESUME still runs the restore at the top of get_signal(), before the signal frame is built and before any -ERESTART* rewind; on a restart the syscall re-traps seccomp and the supervisor is notified again. rt_sigreturn is refused (-EOPNOTSUPP). - At most one redirect-capable notifier may exist in a filter chain (-EBUSY); ordinary notifiers are unconstrained. Syscalls with complex signal/restart behaviour (nanosleep, futex(FUTEX_WAIT), ...) are out of scope and should not have their arguments redirected. - PIN_INSTALL: target_addr == 0 lets the kernel pick a free address in the target mm (avoids a racy userspace /proc//maps scan), and a new offset field lets one memfd back several disjoint pins. - New patch 6: Documentation/userspace-api/seccomp_filter.rst. - Selftests expanded: install into a fresh post-execve mm, stateless churn, outer-filter re-validation, ABI/versioning, and a signal-ordering regression test. Changes since v2: v3 was a redesign that dropped the v2 SECCOMP_IOCTL_NOTIF_INJECT approach (an in-kernel reimplementation of a syscall whitelist) in favour of redirecting the real syscall into a sealed pin, as suggested by Andy. Changes since v1: v2 was a redesign that dropped the v1 SECCOMP_IOCTL_NOTIF_PIN_ARGS approach. All pinned-memfd and redirect selftests pass (seccomp_bpf: 121/121). Cong Wang (8): mm: pass the target mm parameter through get_unmapped_area family mm: add __do_mmap() and vm_mmap_remote()/vm_munmap_remote() seccomp: introduce SECCOMP_IOCTL_NOTIF_PIN_INSTALL seccomp: add __NR_seccomp_* aliases for rt_sigreturn and clone/fork seccomp: add kernel-installed pinned-memfd redirect seccomp: re-validate a redirected syscall against outer filters docs/seccomp: document pinned-memfd redirect ioctls selftests/seccomp: cover non-cooperative pinned-memfd install Documentation/filesystems/locking.rst | 2 +- Documentation/filesystems/vfs.rst | 2 +- .../userspace-api/seccomp_filter.rst | 109 ++ arch/alpha/kernel/osf_sys.c | 21 +- arch/arc/mm/mmap.c | 7 +- arch/arm/mm/mmap.c | 19 +- arch/csky/abiv1/mmap.c | 7 +- arch/loongarch/mm/mmap.c | 28 +- arch/mips/mm/mmap.c | 28 +- arch/parisc/kernel/sys_parisc.c | 28 +- arch/powerpc/include/asm/book3s/64/slice.h | 3 +- arch/powerpc/mm/book3s64/slice.c | 28 +- arch/s390/mm/mmap.c | 25 +- arch/sh/mm/mmap.c | 21 +- arch/sparc/include/asm/pgtable_64.h | 6 +- arch/sparc/kernel/sys_sparc_32.c | 7 +- arch/sparc/kernel/sys_sparc_64.c | 32 +- arch/x86/include/asm/elf.h | 2 +- arch/x86/include/asm/seccomp.h | 15 +- arch/x86/kernel/cpu/sgx/driver.c | 13 +- arch/x86/kernel/sys_x86_64.c | 32 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/mm/mmap.c | 4 +- arch/xtensa/kernel/syscall.c | 8 +- drivers/char/mem.c | 15 +- drivers/dax/device.c | 11 +- drivers/gpu/drm/drm_gem.c | 9 +- drivers/gpu/drm/drm_gem_dma_helper.c | 4 +- drivers/media/v4l2-core/v4l2-dev.c | 3 +- drivers/mtd/mtdchar.c | 3 +- drivers/video/fbdev/core/fb_chrdev.c | 3 +- fs/cramfs/inode.c | 3 +- fs/hugetlbfs/inode.c | 9 +- fs/proc/inode.c | 15 +- fs/ramfs/file-mmu.c | 5 +- fs/ramfs/file-nommu.c | 6 +- fs/romfs/mmap-nommu.c | 3 +- include/asm-generic/seccomp.h | 30 + include/drm/drm_gem.h | 3 +- include/drm/drm_gem_dma_helper.h | 3 +- include/linux/bpf.h | 3 +- include/linux/fs.h | 5 +- include/linux/huge_mm.h | 18 +- include/linux/hugetlb.h | 6 +- include/linux/mm.h | 31 +- include/linux/proc_fs.h | 5 +- include/linux/sched/mm.h | 37 +- include/linux/seccomp.h | 12 +- include/linux/shmem_fs.h | 5 +- include/uapi/linux/seccomp.h | 87 + io_uring/memmap.c | 8 +- io_uring/memmap.h | 3 +- ipc/shm.c | 8 +- kernel/bpf/arena.c | 5 +- kernel/bpf/syscall.c | 8 +- kernel/seccomp.c | 571 +++++- mm/huge_memory.c | 27 +- mm/internal.h | 6 + mm/mmap.c | 132 +- mm/mprotect.c | 2 +- mm/nommu.c | 27 +- mm/shmem.c | 13 +- mm/util.c | 106 ++ mm/vma.c | 62 +- mm/vma.h | 18 +- sound/core/pcm_native.c | 3 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 1615 +++++++++++++++++ 67 files changed, 3025 insertions(+), 374 deletions(-) base-commit: 58717b2a1365d06c8c64b72aa948541b53fe31eb -- 2.43.0