From: Hengqi Chen <hengqi.chen@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
keescook@chromium.org, luto@amacapital.net, wad@chromium.org,
hengqi.chen@gmail.com
Subject: [PATCH bpf-next 3/6] seccomp: Refactor filter copy/create for reuse
Date: Tue, 31 Oct 2023 01:24:04 +0000 [thread overview]
Message-ID: <20231031012407.51371-4-hengqi.chen@gmail.com> (raw)
In-Reply-To: <20231031012407.51371-1-hengqi.chen@gmail.com>
This refactors seccomp_prepare_filter() for reuse in
subsequent additions. No functional change intended.
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
---
kernel/seccomp.c | 50 +++++++++++++++++++++++++++++++++---------------
1 file changed, 35 insertions(+), 15 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 1fa2312654a5..2a724690a627 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -641,14 +641,14 @@ static inline void seccomp_sync_threads(unsigned long flags)
}
/**
- * seccomp_prepare_filter: Prepares a seccomp filter for use.
- * @fprog: BPF program to install
+ * seccomp_prepare_prog - prepares a JITed BPF filter for use.
+ * @pfp: the unattached filter that is created
+ * @fprog: the filter program
*
- * Returns filter on success or an ERR_PTR on failure.
+ * Returns 0 on success and non-zero otherwise.
*/
-static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
+static int seccomp_prepare_prog(struct bpf_prog **pfp, struct sock_fprog *fprog)
{
- struct seccomp_filter *sfilter;
int ret;
const bool save_orig =
#if defined(CONFIG_CHECKPOINT_RESTORE) || defined(SECCOMP_ARCH_NATIVE)
@@ -658,10 +658,27 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
#endif
if (fprog->len == 0 || fprog->len > BPF_MAXINSNS)
- return ERR_PTR(-EINVAL);
+ return -EINVAL;
BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter));
+ ret = bpf_prog_create_from_user(pfp, fprog, seccomp_check_filter, save_orig);
+ if (ret < 0)
+ return ret;
+
+ return 0;
+}
+
+/**
+ * seccomp_prepare_filter: Prepares a seccomp filter for use.
+ * @prog: BPF program to install
+ *
+ * Returns filter on success or an ERR_PTR on failure.
+ */
+static struct seccomp_filter *seccomp_prepare_filter(struct bpf_prog *prog)
+{
+ struct seccomp_filter *sfilter;
+
/*
* Installing a seccomp filter requires that the task has
* CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
@@ -678,13 +695,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
return ERR_PTR(-ENOMEM);
mutex_init(&sfilter->notify_lock);
- ret = bpf_prog_create_from_user(&sfilter->prog, fprog,
- seccomp_check_filter, save_orig);
- if (ret < 0) {
- kfree(sfilter);
- return ERR_PTR(ret);
- }
-
+ sfilter->prog = prog;
refcount_set(&sfilter->refs, 1);
refcount_set(&sfilter->users, 1);
init_waitqueue_head(&sfilter->wqh);
@@ -701,8 +712,10 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
static struct seccomp_filter *
seccomp_prepare_user_filter(const char __user *user_filter)
{
- struct sock_fprog fprog;
struct seccomp_filter *filter = ERR_PTR(-EFAULT);
+ struct sock_fprog fprog;
+ struct bpf_prog *prog;
+ int ret;
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
@@ -715,7 +728,14 @@ seccomp_prepare_user_filter(const char __user *user_filter)
#endif
if (copy_from_user(&fprog, user_filter, sizeof(fprog)))
goto out;
- filter = seccomp_prepare_filter(&fprog);
+
+ ret = seccomp_prepare_prog(&prog, &fprog);
+ if (ret)
+ return ERR_PTR(ret);
+
+ filter = seccomp_prepare_filter(prog);
+ if (IS_ERR(filter))
+ bpf_prog_destroy(prog);
out:
return filter;
}
--
2.34.1
next prev parent reply other threads:[~2023-10-31 6:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-31 1:24 [PATCH bpf-next 0/6] bpf: Add seccomp program type Hengqi Chen
2023-10-31 1:24 ` [PATCH bpf-next 1/6] bpf: Introduce BPF_PROG_TYPE_SECCOMP Hengqi Chen
2023-11-02 17:30 ` Andrii Nakryiko
2023-11-02 19:49 ` Kees Cook
2023-11-02 19:53 ` Alexei Starovoitov
2023-11-03 20:44 ` Kees Cook
2023-11-03 5:46 ` Hengqi Chen
2023-11-03 8:47 ` Hengqi Chen
2023-10-31 1:24 ` [PATCH bpf-next 2/6] bpf: Add test_run support for seccomp program type Hengqi Chen
2023-11-02 17:32 ` Andrii Nakryiko
2023-10-31 1:24 ` Hengqi Chen [this message]
2023-10-31 1:24 ` [PATCH bpf-next 4/6] seccomp: Support attaching BPF_PROG_TYPE_SECCOMP progs Hengqi Chen
2023-10-31 1:24 ` [PATCH bpf-next 5/6] selftests/bpf: Add seccomp verifier tests Hengqi Chen
2023-10-31 1:24 ` [PATCH bpf-next 6/6] selftests/bpf: Test BPF_PROG_TYPE_SECCOMP Hengqi Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231031012407.51371-4-hengqi.chen@gmail.com \
--to=hengqi.chen@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=keescook@chromium.org \
--cc=luto@amacapital.net \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.