From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw1-f67.google.com ([209.85.161.67]:40353 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725727AbeI1ECZ (ORCPT ); Fri, 28 Sep 2018 00:02:25 -0400 Received: by mail-yw1-f67.google.com with SMTP id z143-v6so1750010ywa.7 for ; Thu, 27 Sep 2018 14:42:05 -0700 (PDT) Received: from mail-yw1-f41.google.com (mail-yw1-f41.google.com. [209.85.161.41]) by smtp.gmail.com with ESMTPSA id w207-v6sm4500262yww.17.2018.09.27.14.42.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Sep 2018 14:42:03 -0700 (PDT) Received: by mail-yw1-f41.google.com with SMTP id y14-v6so1758674ywa.4 for ; Thu, 27 Sep 2018 14:42:03 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20180927151119.9989-3-tycho@tycho.ws> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-3-tycho@tycho.ws> From: Kees Cook Date: Thu, 27 Sep 2018 14:42:02 -0700 Message-ID: Subject: Re: [PATCH v7 2/6] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE To: Tycho Andersen Cc: LKML , Linux Containers , Linux API , Andy Lutomirski , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Jann Horn , "linux-fsdevel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote: > In the next commit we'll use this same mnemonic to get a listener for the > nth filter, so we need it available outside of CHECKPOINT_RESTORE in the > USER_NOTIFICATION case as well. > > v2: new in v2 > v3: no changes > v4: no changes > v5: switch to CHECKPOINT_RESTORE || USER_NOTIFICATION to avoid warning when > only CONFIG_SECCOMP_FILTER is enabled. > v7: drop USER_NOTIFICATION bits > > Signed-off-by: Tycho Andersen > CC: Kees Cook > CC: Andy Lutomirski > CC: Oleg Nesterov > CC: Eric W. Biederman > CC: "Serge E. Hallyn" > CC: Christian Brauner > CC: Tyler Hicks > CC: Akihiro Suda > --- > kernel/seccomp.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index fa6fe9756c80..44a31ac8373a 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -1158,7 +1158,7 @@ long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter) > return do_seccomp(op, 0, uargs); > } > > -#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) > +#if defined(CONFIG_SECCOMP_FILTER) > static struct seccomp_filter *get_nth_filter(struct task_struct *task, > unsigned long filter_off) > { > @@ -1205,6 +1205,7 @@ static struct seccomp_filter *get_nth_filter(struct task_struct *task, > return filter; > } > > +#if defined(CONFIG_CHECKPOINT_RESTORE) > long seccomp_get_filter(struct task_struct *task, unsigned long filter_off, > void __user *data) > { > @@ -1277,7 +1278,8 @@ long seccomp_get_metadata(struct task_struct *task, > __put_seccomp_filter(filter); > return ret; > } > -#endif > +#endif /* CONFIG_CHECKPOINT_RESTORE */ > +#endif /* CONFIG_SECCOMP_FILTER */ > > #ifdef CONFIG_SYSCTL Yup, looks fine. -Kees -- Kees Cook Pixel Security