diff options
author | Will Drewry <wad@chromium.org> | 2012-04-12 23:47:52 +0200 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2012-04-14 03:13:19 +0200 |
commit | 46b325c7eb01482674406701825ff67f561ccdd4 (patch) | |
tree | 3c6b4d424148c79820506bc2cda71b389798fbdb | |
parent | Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS (diff) | |
download | linux-46b325c7eb01482674406701825ff67f561ccdd4.tar.xz linux-46b325c7eb01482674406701825ff67f561ccdd4.zip |
sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
Introduces a new BPF ancillary instruction that all LD calls will be
mapped through when skb_run_filter() is being used for seccomp BPF. The
rewriting will be done using a secondary chk_filter function that is run
after skb_chk_filter.
The code change is guarded by CONFIG_SECCOMP_FILTER which is added,
along with the seccomp_bpf_load() function later in this series.
This is based on http://lkml.org/lkml/2012/3/2/141
Suggested-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Paris <eparis@redhat.com>
v18: rebase
...
v15: include seccomp.h explicitly for when seccomp_bpf_load exists.
v14: First cut using a single additional instruction
... v13: made bpf functions generic.
Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r-- | include/linux/filter.h | 1 | ||||
-rw-r--r-- | net/core/filter.c | 6 |
2 files changed, 7 insertions, 0 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h index 8eeb205f298b..aaa2e80630b8 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -228,6 +228,7 @@ enum { BPF_S_ANC_HATYPE, BPF_S_ANC_RXHASH, BPF_S_ANC_CPU, + BPF_S_ANC_SECCOMP_LD_W, }; #endif /* __KERNEL__ */ diff --git a/net/core/filter.c b/net/core/filter.c index 6f755cca4520..491e2e1ec277 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -38,6 +38,7 @@ #include <linux/filter.h> #include <linux/reciprocal_div.h> #include <linux/ratelimit.h> +#include <linux/seccomp.h> /* No hurry in this branch * @@ -352,6 +353,11 @@ load_b: A = 0; continue; } +#ifdef CONFIG_SECCOMP_FILTER + case BPF_S_ANC_SECCOMP_LD_W: + A = seccomp_bpf_load(fentry->k); + continue; +#endif default: WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n", fentry->code, fentry->jt, |