summaryrefslogtreecommitdiff
path: root/fs/binfmt_script.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2012-12-17 16:03:14 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2012-12-17 17:15:22 -0800
commit2f4b3bf6b2318cfaa177ec5a802f4d8d6afbd816 (patch)
treed4db7dc0ff5972232e2edbf08004e4ee838823c2 /fs/binfmt_script.c
parent834f82e2aa9a8ede94b17b656329f850c1471514 (diff)
downloadlinux-exynos-2f4b3bf6b2318cfaa177ec5a802f4d8d6afbd816.tar.gz
linux-exynos-2f4b3bf6b2318cfaa177ec5a802f4d8d6afbd816.tar.bz2
linux-exynos-2f4b3bf6b2318cfaa177ec5a802f4d8d6afbd816.zip
/proc/pid/status: add "Seccomp" field
It is currently impossible to examine the state of seccomp for a given process. While attaching with gdb and attempting "call prctl(PR_GET_SECCOMP,...)" will work with some situations, it is not reliable. If the process is in seccomp mode 1, this query will kill the process (prctl not allowed), if the process is in mode 2 with prctl not allowed, it will similarly be killed, and in weird cases, if prctl is filtered to return errno 0, it can look like seccomp is disabled. When reviewing the state of running processes, there should be a way to externally examine the seccomp mode. ("Did this build of Chrome end up using seccomp?" "Did my distro ship ssh with seccomp enabled?") This adds the "Seccomp" line to /proc/$pid/status. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: James Morris <jmorris@namei.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/binfmt_script.c')
0 files changed, 0 insertions, 0 deletions