Revert "CHROMIUM: seccomp_filter: allow CAP_SYS_ADMIN management of execve"

This reverts commit 09b02d793b77360739b25fa103a38ce633afc8f2.

https://lists.ubuntu.com/archives/kernel-team/2012-January/018695.html

"At this point, since there are no consumers of the old API, and it
will be almost certainly replaced by the BPF API, I think in the face
of the 5-year support of the LTS release, we should probably just
remove all of the seccomp_filter patches from Ubuntu." - Kees Cook

Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>

diff --git a/kernel/seccomp_filter.c b/kernel/seccomp_filter.c
index 8b1b8a6..00a081e 100644 (file)
--- a/kernel/seccomp_filter.c
+++ b/kernel/seccomp_filter.c
@@ -17,7 +17,6 @@
  * Copyright (C) 2011 The Chromium OS Authors <chromium-os-dev@chromium.org>
  */
 
-#include <linux/capability.h>
 #include <linux/compat.h>
 #include <linux/err.h>
 #include <linux/errno.h>
@@ -27,7 +26,6 @@
 #include <linux/perf_event.h>
 #include <linux/prctl.h>
 #include <linux/seccomp.h>
-#include <linux/security.h>
 #include <linux/seq_file.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
@@ -379,18 +377,6 @@ static void seccomp_filters_drop(struct seccomp_filters *filters, int nr)
        free_event_filter(filter);
 }
 
-static void seccomp_filters_drop_exec(struct seccomp_filters *filters)
-{
-       int nr = __NR_execve;
-       if (has_capability_noaudit(current, CAP_SYS_ADMIN))
-               return;
-#ifdef CONFIG_COMPAT
-       if (filters->flags.compat)
-               nr = __NR_seccomp_execve_32;
-#endif
-       seccomp_filters_drop(filters, nr);
-}
-
 /**
  * seccomp_filters_copy - copies filters from src to dst.
  *
@@ -674,6 +660,10 @@ int seccomp_test_filters(int syscall)
                goto out;
        }
 
+       /* execve is never allowed. */
+       if (syscall_is_execve(syscall))
+               goto out;
+
        filter = btree_lookup32(&filters->tree, syscall);
        if (!filter)
                goto out;
@@ -807,7 +797,6 @@ long seccomp_clear_filter(int syscall_nr)
        if (ret)
                goto out;
        seccomp_filters_drop(filters, syscall_nr);
-       seccomp_filters_drop_exec(filters);
        get_seccomp_filters(filters);  /* simplify the out: path */
 
        current->seccomp.filters = filters;
@@ -838,14 +827,9 @@ long seccomp_set_filter(int syscall_nr, char *filter)
 {
        struct seccomp_filters *filters = NULL, *orig_filters = NULL;
        struct event_filter *ef = NULL;
-       long ret = -EPERM;
-
-       /* execve is only allowed for privileged processes. */
-       if (!capable(CAP_SYS_ADMIN) && syscall_is_execve(syscall_nr))
-               goto out;
+       long ret = -EINVAL;
 
        mutex_lock(&current->seccomp.filters_guard);
-       ret = -EINVAL;
        if (!filter)
                goto out;
 
@@ -882,7 +866,6 @@ long seccomp_set_filter(int syscall_nr, char *filter)
                ret = seccomp_filters_copy(filters, orig_filters);
                if (ret)
                        goto out;
-               seccomp_filters_drop_exec(filters);
        }
 
        if (!ef)