summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWill Drewry <wad@chromium.org>2012-04-12 23:47:52 +0200
committerJames Morris <james.l.morris@oracle.com>2012-04-14 03:13:19 +0200
commit46b325c7eb01482674406701825ff67f561ccdd4 (patch)
tree3c6b4d424148c79820506bc2cda71b389798fbdb
parentFix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS (diff)
downloadlinux-46b325c7eb01482674406701825ff67f561ccdd4.tar.xz
linux-46b325c7eb01482674406701825ff67f561ccdd4.zip
sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
Introduces a new BPF ancillary instruction that all LD calls will be mapped through when skb_run_filter() is being used for seccomp BPF. The rewriting will be done using a secondary chk_filter function that is run after skb_chk_filter. The code change is guarded by CONFIG_SECCOMP_FILTER which is added, along with the seccomp_bpf_load() function later in this series. This is based on http://lkml.org/lkml/2012/3/2/141 Suggested-by: Indan Zupancic <indan@nul.nu> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Eric Paris <eparis@redhat.com> v18: rebase ... v15: include seccomp.h explicitly for when seccomp_bpf_load exists. v14: First cut using a single additional instruction ... v13: made bpf functions generic. Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r--include/linux/filter.h1
-rw-r--r--net/core/filter.c6
2 files changed, 7 insertions, 0 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 8eeb205f298b..aaa2e80630b8 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -228,6 +228,7 @@ enum {
BPF_S_ANC_HATYPE,
BPF_S_ANC_RXHASH,
BPF_S_ANC_CPU,
+ BPF_S_ANC_SECCOMP_LD_W,
};
#endif /* __KERNEL__ */
diff --git a/net/core/filter.c b/net/core/filter.c
index 6f755cca4520..491e2e1ec277 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -38,6 +38,7 @@
#include <linux/filter.h>
#include <linux/reciprocal_div.h>
#include <linux/ratelimit.h>
+#include <linux/seccomp.h>
/* No hurry in this branch
*
@@ -352,6 +353,11 @@ load_b:
A = 0;
continue;
}
+#ifdef CONFIG_SECCOMP_FILTER
+ case BPF_S_ANC_SECCOMP_LD_W:
+ A = seccomp_bpf_load(fentry->k);
+ continue;
+#endif
default:
WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
fentry->code, fentry->jt,