diff options
author | Kees Cook <keescook@chromium.org> | 2014-06-26 00:38:02 +0200 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2014-07-18 21:13:36 +0200 |
commit | 1f41b450416e689b9b7c8bfb750a98604f687a9b (patch) | |
tree | f3429ad4a8e75c3e1f601af95113e19f88da4560 | |
parent | seccomp: create internal mode-setting function (diff) | |
download | linux-1f41b450416e689b9b7c8bfb750a98604f687a9b.tar.xz linux-1f41b450416e689b9b7c8bfb750a98604f687a9b.zip |
seccomp: extract check/assign mode helpers
To support splitting mode 1 from mode 2, extract the mode checking and
assignment logic into common functions.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
-rw-r--r-- | kernel/seccomp.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index afb916c7e890..9df7def86c3b 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -194,7 +194,23 @@ static u32 seccomp_run_filters(int syscall) } return ret; } +#endif /* CONFIG_SECCOMP_FILTER */ +static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) +{ + if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) + return false; + + return true; +} + +static inline void seccomp_assign_mode(unsigned long seccomp_mode) +{ + current->seccomp.mode = seccomp_mode; + set_tsk_thread_flag(current, TIF_SECCOMP); +} + +#ifdef CONFIG_SECCOMP_FILTER /** * seccomp_attach_filter: Attaches a seccomp filter to current. * @fprog: BPF program to install @@ -490,8 +506,7 @@ static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter) { long ret = -EINVAL; - if (current->seccomp.mode && - current->seccomp.mode != seccomp_mode) + if (!seccomp_may_assign_mode(seccomp_mode)) goto out; switch (seccomp_mode) { @@ -512,8 +527,7 @@ static long seccomp_set_mode(unsigned long seccomp_mode, char __user *filter) goto out; } - current->seccomp.mode = seccomp_mode; - set_thread_flag(TIF_SECCOMP); + seccomp_assign_mode(seccomp_mode); out: return ret; } |