summaryrefslogtreecommitdiffstats
path: root/kernel/seccomp.c
diff options
context:
space:
mode:
authorDaniel Borkmann <daniel@iogearbox.net>2015-10-02 15:17:33 +0200
committerDavid S. Miller <davem@davemloft.net>2015-10-05 06:47:05 -0700
commitbab18991871545dfbd10c931eb0fe8f7637156a9 (patch)
tree1d561750b012be096fce1637fef60a65fbef1fa4 /kernel/seccomp.c
parent0a15afd2eaceceff5be4c8b7166f01c1a68e9642 (diff)
downloadlinux-bab18991871545dfbd10c931eb0fe8f7637156a9.tar.gz
linux-bab18991871545dfbd10c931eb0fe8f7637156a9.tar.bz2
linux-bab18991871545dfbd10c931eb0fe8f7637156a9.zip
bpf, seccomp: prepare for upcoming criu support
The current ongoing effort to dump existing cBPF seccomp filters back to user space requires to hold the pre-transformed instructions like we do in case of socket filters from sk_attach_filter() side, so they can be reloaded in original form at a later point in time by utilities such as criu. To prepare for this, simply extend the bpf_prog_create_from_user() API to hold a flag that tells whether we should store the original or not. Also, fanout filters could make use of that in future for things like diag. While fanout filters already use bpf_prog_destroy(), move seccomp over to them as well to handle original programs when present. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Tycho Andersen <tycho.andersen@canonical.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Alexei Starovoitov <ast@plumgrid.com> Tested-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/seccomp.c')
-rw-r--r--kernel/seccomp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 5bd4779282df..06858a74bb9c 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -370,7 +370,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
return ERR_PTR(-ENOMEM);
ret = bpf_prog_create_from_user(&sfilter->prog, fprog,
- seccomp_check_filter);
+ seccomp_check_filter, false);
if (ret < 0) {
kfree(sfilter);
return ERR_PTR(ret);
@@ -469,7 +469,7 @@ void get_seccomp_filter(struct task_struct *tsk)
static inline void seccomp_filter_free(struct seccomp_filter *filter)
{
if (filter) {
- bpf_prog_free(filter->prog);
+ bpf_prog_destroy(filter->prog);
kfree(filter);
}
}