diff options
Diffstat (limited to 'features/seccomp/sk_run_filter-add-BPF_S_ANC_SECCOMP_LD_W.patch')
-rw-r--r-- | features/seccomp/sk_run_filter-add-BPF_S_ANC_SECCOMP_LD_W.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/features/seccomp/sk_run_filter-add-BPF_S_ANC_SECCOMP_LD_W.patch b/features/seccomp/sk_run_filter-add-BPF_S_ANC_SECCOMP_LD_W.patch new file mode 100644 index 00000000..00a6038a --- /dev/null +++ b/features/seccomp/sk_run_filter-add-BPF_S_ANC_SECCOMP_LD_W.patch @@ -0,0 +1,73 @@ +From 23be50acb6765e31a3c1c5b79421c81cce9dbbf9 Mon Sep 17 00:00:00 2001 +From: Will Drewry <wad@chromium.org> +Date: Thu, 12 Apr 2012 16:47:52 -0500 +Subject: [PATCH] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W + +commit 46b325c7eb01482674406701825ff67f561ccdd4 upstream. + +Introduces a new BPF ancillary instruction that all LD calls will be +mapped through when skb_run_filter() is being used for seccomp BPF. The +rewriting will be done using a secondary chk_filter function that is run +after skb_chk_filter. + +The code change is guarded by CONFIG_SECCOMP_FILTER which is added, +along with the seccomp_bpf_load() function later in this series. + +This is based on http://lkml.org/lkml/2012/3/2/141 + +Suggested-by: Indan Zupancic <indan@nul.nu> +Signed-off-by: Will Drewry <wad@chromium.org> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Acked-by: Eric Paris <eparis@redhat.com> + +v18: rebase +... +v15: include seccomp.h explicitly for when seccomp_bpf_load exists. +v14: First cut using a single additional instruction +... v13: made bpf functions generic. +Signed-off-by: James Morris <james.l.morris@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + include/linux/filter.h | 1 + + net/core/filter.c | 6 ++++++ + 2 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 8eeb205..aaa2e80 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -228,6 +228,7 @@ enum { + BPF_S_ANC_HATYPE, + BPF_S_ANC_RXHASH, + BPF_S_ANC_CPU, ++ BPF_S_ANC_SECCOMP_LD_W, + }; + + #endif /* __KERNEL__ */ +diff --git a/net/core/filter.c b/net/core/filter.c +index 6f755cc..491e2e1 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -38,6 +38,7 @@ + #include <linux/filter.h> + #include <linux/reciprocal_div.h> + #include <linux/ratelimit.h> ++#include <linux/seccomp.h> + + /* No hurry in this branch + * +@@ -352,6 +353,11 @@ load_b: + A = 0; + continue; + } ++#ifdef CONFIG_SECCOMP_FILTER ++ case BPF_S_ANC_SECCOMP_LD_W: ++ A = seccomp_bpf_load(fentry->k); ++ continue; ++#endif + default: + WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n", + fentry->code, fentry->jt, +-- +1.7.9.1 + |