From nobody Mon Feb 9 00:02:36 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EBAF2C0303 for ; Wed, 4 Feb 2026 02:28:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770172108; cv=none; b=OTRabLygTzuRYXMAezNq8vFt5MpHXbWm8UW1PCYnfCpLLRiampdhGgDPf5UXG6pPz21OO6ke3hNlVTTSZXtpXY4AZTH1yvnHejU8njU6z4LVxB9rsQ09KNSzG2h1j8PR/JQEgDg7dvLh7PHUBbwPtLYQa20NSxx0s1Gm+9kHOUg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770172108; c=relaxed/simple; bh=SFRj99H60SuVf2pzFy78XNsf70dEa3gjFhK5ewhjtEA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ikKaKEpVrsuqiOh8XfPWQ8AbkafYrJYp7I7NZDoMwxcnT4kMTjAOm6kMOrfyqDP4lz0hPMEj9SLy1Q9zctEeq+9tkiqyfUGsc9xEI3QGyswJwmoRuNrGgj7MZxdUt8u9r7ptG/NYvfdFzR5SmWg0j6unPO9fO4qczLFejRl+3Wg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nUvlhoRn; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nUvlhoRn" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-352c5bd2769so3745333a91.1 for ; Tue, 03 Feb 2026 18:28:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770172106; x=1770776906; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4GzNDSqk/5OQvqJXVrFISSObJmCqqMejYVMMF81vnhg=; b=nUvlhoRnSCCg9eOwE3pbSfEYmNd1C1gXVoZ3l/VSMD8mJcI1Xvus0nPZi+eyZKu2np 2/Znc0x3Sfz5E1N983HsixYr4hRXXTCjJvgoTUX4ghSVY6YVQr+Diix+9phwexkk0Fiv e/P2Avxifh5vDB7YjgDMTs/F6Mir35kUM+fMR1p378FOwQCvTQFU55hFNTt+LV2gSkRa gcQyBpDdTypsl+M3Pj3v+i8SRTIkwF3g3iXT3o5xLSysXXgzemNl1qKQilLlArbtN9Y/ xQCjqb/c0jnMWYA4jdR/6JDmPrNYE2TnduNbVTJLBPOYlswAq7Ymx874nwtLbHKzet1V BSPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770172106; x=1770776906; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4GzNDSqk/5OQvqJXVrFISSObJmCqqMejYVMMF81vnhg=; b=YOYQgCO79iSvMpMQ7tW6DpeW/LA14osKDkm4QH7mQL/7Mlt8gmplj20zO67RPAr0eS nGaUGeljSwRwXDWEQ97F9+KM+wbU8t94UqH3LWN+xizs1lgkSF6368roJCiBBKIKpgfs 7O68P7Qy8COjMUUcZl57IzXZnPVUy0WzwIojcIh4CNdIH0Qe4kVt/XJLaRrfNkGHdg2c s5oF+sBf2OWFwGbE8K5StBbv79uEya4mejeE/CXqfWRw/LQs4iSrxU0ZXE0+zm4v7z9e YkllGAS/BQU+3REM78fcSl2DhCK4o9M0zNWPZnhWnlKKANy0Kck0CCJuXUiyqvS4djP4 MTJQ== X-Forwarded-Encrypted: i=1; AJvYcCXuUKFoXC5XDQmNkbvP1O/krwIsftA98MFVnj7lDYOndhG/jJDIEUaNgUlgP68wkGA5BCCWu3eNPAnc+Bg=@vger.kernel.org X-Gm-Message-State: AOJu0Yz+N9z0J+AMH4TXuQzjLfD24f1+iYdtffdlTzzEMUmPGp8TphD2 YjFLCOuVwi2/QiK5HgM6vQWzGbFT1NJ7XIuh0cInSCB07ml1lsPJaLqe X-Gm-Gg: AZuq6aJGxNurYDtKv53gi2zKT+AvSuMA4Fq7/FmicndPxGLF0YML+jsNUxf2X0UD2D9 KUd1nl+Wo/xX1jLz5uImN2SUupBCEXW94uMOd5ekHx7F3Qx9zy9rqz8olXwg8F0WQg7ZU2wafpu fhWkjjSq8bJHw/UJr8v7cR/SiLCU0FkGmMYYNEhrcTvg3h+t8nmTTO099CEC7qfVTlBFwYP9nba rs8AOOGlxcU5Xm5eC8YMmptAFW+Houf1UToChaKjTHSQ2plAKghAQeLKXKMokSlpOULS2J5vpr+ 4O6Z8K626eXfW8Al/rSiVE5PKV2NZvd9pTpR3jDugxJjzrMHGPa3zf8C8Db/LxW1EZwrO4tJyV+ HNN2ePuoJDYQtYc8CKU4nlvufoEZlUY0eNAhRu5nD/Mk/3PGjQJ17GYO6uXOvpSo1vv1ZZTPN+U OkfbF3wmVHmOwiCxrnvc5Sh0AghM2zmWDYWbrB0L623aflXbdMNTv5Kh33KQ1OL4ooGn8e2UChd Rlnl3vd/xKEktMR X-Received: by 2002:a17:90a:ec8f:b0:340:bde5:c9e8 with SMTP id 98e67ed59e1d1-3548719372cmr1207738a91.22.1770172105906; Tue, 03 Feb 2026 18:28:25 -0800 (PST) Received: from ikb-h07-29-noble.in.iijlab.net ([202.214.97.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c6c82e343e4sm632227a12.4.2026.02.03.18.28.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Feb 2026 18:28:24 -0800 (PST) Received: by ikb-h07-29-noble.in.iijlab.net (Postfix, from userid 1010) id CB1DE1200C39; Wed, 4 Feb 2026 11:28:22 +0900 (JST) From: Hajime Tazaki To: linux-um@lists.infradead.org Cc: thehajime@gmail.com, ricarkol@google.com, Liam.Howlett@oracle.com, linux-kernel@vger.kernel.org, Kenichi Yasukata Subject: [PATCH v14 05/13] um: nommu: seccomp syscalls hook Date: Wed, 4 Feb 2026 11:28:03 +0900 Message-ID: <053f2b46e47093a4347ee83d4afe79985715d24a.1770170302.git.thehajime@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This commit adds syscall hook with seccomp. Using seccomp raises SIGSYS to UML process, which is captured in the (UML) kernel, then jumps to the syscall entry point, __kernel_vsyscall, to hook the original syscall instructions. The SIGSYS signal is raised upon the execution from uml_reserved and high_physmem, which locates userspace memory. It also renames existing static function, sigsys_handler(), in start_up.c to avoid name conflicts between them. Signed-off-by: Hajime Tazaki Signed-off-by: Kenichi Yasukata --- arch/um/include/shared/kern_util.h | 2 + arch/um/include/shared/os.h | 10 +++ arch/um/kernel/um_arch.c | 3 + arch/um/nommu/Makefile | 3 + arch/um/nommu/os-Linux/Makefile | 7 +++ arch/um/nommu/os-Linux/seccomp.c | 87 +++++++++++++++++++++++++++ arch/um/nommu/os-Linux/signal.c | 16 +++++ arch/um/os-Linux/signal.c | 8 +++ arch/um/os-Linux/start_up.c | 4 +- arch/x86/um/nommu/Makefile | 2 +- arch/x86/um/nommu/os-Linux/Makefile | 6 ++ arch/x86/um/nommu/os-Linux/mcontext.c | 15 +++++ arch/x86/um/shared/sysdep/mcontext.h | 4 ++ 13 files changed, 164 insertions(+), 3 deletions(-) create mode 100644 arch/um/nommu/Makefile create mode 100644 arch/um/nommu/os-Linux/Makefile create mode 100644 arch/um/nommu/os-Linux/seccomp.c create mode 100644 arch/um/nommu/os-Linux/signal.c create mode 100644 arch/x86/um/nommu/os-Linux/Makefile create mode 100644 arch/x86/um/nommu/os-Linux/mcontext.c diff --git a/arch/um/include/shared/kern_util.h b/arch/um/include/shared/ke= rn_util.h index 38321188c04c..7798f16a4677 100644 --- a/arch/um/include/shared/kern_util.h +++ b/arch/um/include/shared/kern_util.h @@ -63,6 +63,8 @@ extern void segv_handler(int sig, struct siginfo *unused_= si, struct uml_pt_regs extern void winch(int sig, struct siginfo *unused_si, struct uml_pt_regs *= regs, void *mc); extern void fatal_sigsegv(void) __attribute__ ((noreturn)); +extern void sigsys_handler(int sig, struct siginfo *si, struct uml_pt_regs= *regs, + void *mc); =20 void um_idle_sleep(void); =20 diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h index b26e94292fc1..5451f9b1f41e 100644 --- a/arch/um/include/shared/os.h +++ b/arch/um/include/shared/os.h @@ -356,4 +356,14 @@ static inline void os_local_ipi_enable(void) { } static inline void os_local_ipi_disable(void) { } #endif /* CONFIG_SMP */ =20 +/* seccomp.c */ +#ifdef CONFIG_MMU +static inline int os_setup_seccomp(void) +{ + return 0; +} +#else +extern int os_setup_seccomp(void); +#endif + #endif diff --git a/arch/um/kernel/um_arch.c b/arch/um/kernel/um_arch.c index e2b24e1ecfa6..27c13423d9aa 100644 --- a/arch/um/kernel/um_arch.c +++ b/arch/um/kernel/um_arch.c @@ -423,6 +423,9 @@ void __init setup_arch(char **cmdline_p) add_bootloader_randomness(rng_seed, sizeof(rng_seed)); memzero_explicit(rng_seed, sizeof(rng_seed)); } + + /* install seccomp filter */ + os_setup_seccomp(); } =20 void __init arch_cpu_finalize_init(void) diff --git a/arch/um/nommu/Makefile b/arch/um/nommu/Makefile new file mode 100644 index 000000000000..baab7c2f57c2 --- /dev/null +++ b/arch/um/nommu/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-y :=3D os-Linux/ diff --git a/arch/um/nommu/os-Linux/Makefile b/arch/um/nommu/os-Linux/Makef= ile new file mode 100644 index 000000000000..805e26ccf63b --- /dev/null +++ b/arch/um/nommu/os-Linux/Makefile @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-y :=3D seccomp.o signal.o +USER_OBJS :=3D $(obj-y) + +include $(srctree)/arch/um/scripts/Makefile.rules +USER_CFLAGS+=3D-I$(srctree)/arch/um/os-Linux diff --git a/arch/um/nommu/os-Linux/seccomp.c b/arch/um/nommu/os-Linux/secc= omp.c new file mode 100644 index 000000000000..d1cfa6e3d632 --- /dev/null +++ b/arch/um/nommu/os-Linux/seccomp.c @@ -0,0 +1,87 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include +#include +#include /* For SYS_xxx definitions */ +#include +#include +#include +#include +#include + +int __init os_setup_seccomp(void) +{ + int err; + unsigned long __userspace_start =3D uml_reserved, + __userspace_end =3D high_physmem; + + struct sock_filter filter[] =3D { + /* if (IP_high > __userspace_end) allow; */ + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer) + 4), + BPF_JUMP(BPF_JMP + BPF_JGT + BPF_K, __userspace_end >> 32, + /*true-skip=3D*/0, /*false-skip=3D*/1), + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), + + /* if (IP_high =3D=3D __userspace_end && IP_low >=3D __userspace_end) al= low; */ + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer) + 4), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __userspace_end >> 32, + /*true-skip=3D*/0, /*false-skip=3D*/3), + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer)), + BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, __userspace_end, + /*true-skip=3D*/0, /*false-skip=3D*/1), + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), + + /* if (IP_high < __userspace_start) allow; */ + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer) + 4), + BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, __userspace_start >> 32, + /*true-skip=3D*/1, /*false-skip=3D*/0), + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), + + /* if (IP_high =3D=3D __userspace_start && IP_low < __userspace_start) a= llow; */ + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer) + 4), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __userspace_start >> 32, + /*true-skip=3D*/0, /*false-skip=3D*/3), + BPF_STMT(BPF_LD + BPF_W + BPF_ABS, + offsetof(struct seccomp_data, instruction_pointer)), + BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, __userspace_start, + /*true-skip=3D*/1, /*false-skip=3D*/0), + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), + + /* other address; trap */ + BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP), + }; + struct sock_fprog prog =3D { + .len =3D ARRAY_SIZE(filter), + .filter =3D filter, + }; + + err =3D prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if (err) + os_warn("PR_SET_NO_NEW_PRIVS (err=3D%d, ernro=3D%d)\n", + err, errno); + + err =3D syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_TSYNC, &prog); + if (err) { + os_warn("SECCOMP_SET_MODE_FILTER (err=3D%d, ernro=3D%d)\n", + err, errno); + exit(1); + } + + set_handler(SIGSYS); + + os_info("seccomp: setup filter syscalls in the range: 0x%lx-0x%lx\n", + __userspace_start, __userspace_end); + + return 0; +} + diff --git a/arch/um/nommu/os-Linux/signal.c b/arch/um/nommu/os-Linux/signa= l.c new file mode 100644 index 000000000000..19043b9652e2 --- /dev/null +++ b/arch/um/nommu/os-Linux/signal.c @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include + +void sigsys_handler(int sig, struct siginfo *si, + struct uml_pt_regs *regs, void *ptr) +{ + mcontext_t *mc =3D (mcontext_t *) ptr; + + /* hook syscall via SIGSYS */ + set_mc_sigsys_hook(mc); +} diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c index 6c993bc8c78e..6538c2d8694c 100644 --- a/arch/um/os-Linux/signal.c +++ b/arch/um/os-Linux/signal.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal.h" =20 void (*sig_info[NSIG])(int, struct siginfo *, struct uml_pt_regs *, void *= mc) =3D { @@ -32,6 +33,7 @@ void (*sig_info[NSIG])(int, struct siginfo *, struct uml_= pt_regs *, void *mc) =3D [SIGSEGV] =3D segv_handler, [SIGIO] =3D sigio_handler, [SIGCHLD] =3D sigchld_handler, + [SIGSYS] =3D sigsys_handler, }; =20 static void sig_handler_common(int sig, struct siginfo *si, mcontext_t *mc) @@ -180,6 +182,11 @@ static void sigusr1_handler(int sig, struct siginfo *u= nused_si, mcontext_t *mc) uml_pm_wake(); } =20 +__weak void sigsys_handler(int sig, struct siginfo *unused_si, + struct uml_pt_regs *regs, void *mc) +{ +} + void register_pm_wake_signal(void) { set_handler(SIGUSR1); @@ -191,6 +198,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo = *si, mcontext_t *mc) =3D { [SIGILL] =3D sig_handler, [SIGFPE] =3D sig_handler, [SIGTRAP] =3D sig_handler, + [SIGSYS] =3D sig_handler, =20 [SIGIO] =3D sig_handler, [SIGWINCH] =3D sig_handler, diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c index 054ac03bbf5e..33e039d2c1bf 100644 --- a/arch/um/os-Linux/start_up.c +++ b/arch/um/os-Linux/start_up.c @@ -239,7 +239,7 @@ extern unsigned long *exec_fp_regs; =20 __initdata static struct stub_data *seccomp_test_stub_data; =20 -static void __init sigsys_handler(int sig, siginfo_t *info, void *p) +static void __init _sigsys_handler(int sig, siginfo_t *info, void *p) { ucontext_t *uc =3D p; =20 @@ -274,7 +274,7 @@ static int __init seccomp_helper(void *data) sizeof(seccomp_test_stub_data->sigstack)); =20 sa.sa_flags =3D SA_ONSTACK | SA_NODEFER | SA_SIGINFO; - sa.sa_sigaction =3D (void *) sigsys_handler; + sa.sa_sigaction =3D (void *) _sigsys_handler; sa.sa_restorer =3D NULL; if (sigaction(SIGSYS, &sa, NULL) < 0) exit(2); diff --git a/arch/x86/um/nommu/Makefile b/arch/x86/um/nommu/Makefile index d72c63afffa5..ebe47d4836f4 100644 --- a/arch/x86/um/nommu/Makefile +++ b/arch/x86/um/nommu/Makefile @@ -5,4 +5,4 @@ else BITS :=3D 64 endif =20 -obj-y =3D do_syscall_$(BITS).o entry_$(BITS).o +obj-y =3D do_syscall_$(BITS).o entry_$(BITS).o os-Linux/ diff --git a/arch/x86/um/nommu/os-Linux/Makefile b/arch/x86/um/nommu/os-Lin= ux/Makefile new file mode 100644 index 000000000000..4571e403a6ff --- /dev/null +++ b/arch/x86/um/nommu/os-Linux/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-y =3D mcontext.o +USER_OBJS :=3D mcontext.o + +include $(srctree)/arch/um/scripts/Makefile.rules diff --git a/arch/x86/um/nommu/os-Linux/mcontext.c b/arch/x86/um/nommu/os-L= inux/mcontext.c new file mode 100644 index 000000000000..b62a6195096f --- /dev/null +++ b/arch/x86/um/nommu/os-Linux/mcontext.c @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#define __FRAME_OFFSETS +#include +#include +#include + +extern long __kernel_vsyscall(int64_t a0, int64_t a1, int64_t a2, int64_t = a3, + int64_t a4, int64_t a5, int64_t a6); + +void set_mc_sigsys_hook(mcontext_t *mc) +{ + mc->gregs[REG_RCX] =3D mc->gregs[REG_RIP]; + mc->gregs[REG_RIP] =3D (unsigned long) __kernel_vsyscall; +} diff --git a/arch/x86/um/shared/sysdep/mcontext.h b/arch/x86/um/shared/sysd= ep/mcontext.h index 6fe490cc5b98..9a0d6087f357 100644 --- a/arch/x86/um/shared/sysdep/mcontext.h +++ b/arch/x86/um/shared/sysdep/mcontext.h @@ -17,6 +17,10 @@ extern int get_stub_state(struct uml_pt_regs *regs, stru= ct stub_data *data, extern int set_stub_state(struct uml_pt_regs *regs, struct stub_data *data, int single_stepping); =20 +#ifndef CONFIG_MMU +extern void set_mc_sigsys_hook(mcontext_t *mc); +#endif + #ifdef __i386__ =20 #define GET_FAULTINFO_FROM_MC(fi, mc) \ --=20 2.43.0