From patchwork Mon Oct 9 12:40:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 150441 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2228042vqo; Mon, 9 Oct 2023 19:02:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGD6wRvqrPrr41i5crZEHQAHKrRK2xJLhSQTfxInGLKn4S3XZCqrdhxDKqP/kC/96Zg4Fb5 X-Received: by 2002:a05:6808:30a4:b0:3a7:b4e8:563a with SMTP id bl36-20020a05680830a400b003a7b4e8563amr21120014oib.2.1696903361150; Mon, 09 Oct 2023 19:02:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696903361; cv=none; d=google.com; s=arc-20160816; b=g8lSwdB1cjcsYJxgpZFudzMyufO3Adm6dvy1cuSf8SKSA+FE2BVH7BU1HA1vO0GLJ3 1hbcdDLMKG1sRdpgV9EbS72/w3lNfJyJtksXuNmQNHaplFT0RTXUfcnyY/oQYbkSuAQm 2o9YjED8UlD6iNxpt3d7qKwEO9eh0/9D/J3pSyU3hBQsJRkYGGkAz1F2bdq++xJuSMFo IUuUVO3Iv5w0lb8D5LZV46Y7+UX+RmpDyH9RZHfK1KTfqR0lbps4GeplrTRBTfO5r2tA 1DteF0A+Lz/+B24YRssvRrfROzRHfiGUhc3HHnYVhWV/s2jZ55xiw+MHsWoQh1AhgFxk S/sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+VxS46BYkOtM3n7DPKOT+7jWKqjJz3x5dhTSs9Wey/A=; fh=UUVBB6hdZtgkdevQaSWXrPPcR6FiQNJo3IQxWCli3s0=; b=jJMBYSUD0iUYoRk6ukqGfRxjnfkBo4AhmC10eHlXoViSZ1U9Vo5fHQXLFf8yhOUjoe /Aomdoljxtn4sE4pLRkdkjuOPcP6fgz1k3MSFRz4YYnkFflWnpldC+Po+WxF2fY8Zht5 GUveTDwreNroUwXpyi9PiY+zs0hU389WhyBu/EvYcu0Iv2n6e/+Q7H2e5IrqKj2HL4zd THA69eR2rmrpyalbjnd2ndKl30iTzCSnSBlhTTyFMzzKgpzXV+lXdZ0KMpjM/xq0rEG/ 66CFBVFWyxP2C27pYJ3AxdHtYx+a61G3j1YZI2IyfS6TiQV7eJCoJIrOuIIUcv9n4xUt 4y+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=T3aE0jdN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id y7-20020a636407000000b005898dbb67a7si8364153pgb.718.2023.10.09.19.02.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=T3aE0jdN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 7A3AE804130E; Mon, 9 Oct 2023 19:02:38 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1441822AbjJJCC0 (ORCPT + 20 others); Mon, 9 Oct 2023 22:02:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234610AbjJJCCZ (ORCPT ); Mon, 9 Oct 2023 22:02:25 -0400 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7562DB6; Mon, 9 Oct 2023 19:02:23 -0700 (PDT) Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-6934202b8bdso4219756b3a.1; Mon, 09 Oct 2023 19:02:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696903343; x=1697508143; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+VxS46BYkOtM3n7DPKOT+7jWKqjJz3x5dhTSs9Wey/A=; b=T3aE0jdN0XsYgzr+jcXWVJveECX4F7A76p4QA6JIhAwkRtd0LzCo1wRDRykdYaShGI dATLylqxruhu5yMRJ9FizUYNVkZm2V2QoTFbHxK4y/e2gH4qQUH+mUMbg7b9bkuYO3JO JRGr9zT0r1vQPETYgk5s5uDL166C9vgN7wogjxDguf/dfGNNfbkCdZTRYLrUuPBrOpR/ VAucJ7/qsYJIuTQgh98bgF1QKadsNrXfizP74hExYuxosOilsQUOVptZPnGFPOqxfbP9 n1L5e3O8jhodkykyOKUFYo6WVN0iQHM2S27EPseqTv2LH5SzeLxTA9F6XhRV6ruhCOxW fPtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696903343; x=1697508143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+VxS46BYkOtM3n7DPKOT+7jWKqjJz3x5dhTSs9Wey/A=; b=EUjPIA3vTNKd6n4GpEnuvUgHxyLnlSradLZ9djngXGWnL1cO3sYFhCM46u4s8ofE39 pEAMf7CZ4Bz8DVmvVMVzmMUn6azzsa82oZ+fuqyRp4/SLvZ334KRd2DmEZ/14lEr3qMF /yCqWINGcTIcbEhsWazgREd+ISQP6dE4Vs3DYarkCMMCYbvI8Cp5zPodTk5zJeQVviV5 V7pa3fX/KEl/j1zmyU+Oe33AnO2pwilGcIzdT51umySVkFq6XbNpfaO/R3XUpeIHDpxC C+w87MRhQmZpq2xnHrTdEKQB7i6euf3ZLpebD12kCOCSA6tbv3MlKXlVnIXgZINH2z1L 44Xw== X-Gm-Message-State: AOJu0YwwggTIrCd7QCOKyBxnUNx4z+IwhJEPAU74bM8Rp0iRxa4DUU5f 2M6xo6VYvCyneAOsfet2bIOkpyS+X3TIAA== X-Received: by 2002:a05:6a00:1390:b0:693:3d55:2ba6 with SMTP id t16-20020a056a00139000b006933d552ba6mr21377676pfg.9.1696903342657; Mon, 09 Oct 2023 19:02:22 -0700 (PDT) Received: from ubuntu.. ([43.132.98.112]) by smtp.googlemail.com with ESMTPSA id t28-20020aa7939c000000b0068a46cd4120sm7044809pfe.199.2023.10.09.19.02.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:22 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH 1/4] seccomp: Refactor filter copy/create for reuse Date: Mon, 9 Oct 2023 12:40:43 +0000 Message-Id: <20231009124046.74710-2-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231009124046.74710-1-hengqi.chen@gmail.com> References: <20231009124046.74710-1-hengqi.chen@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 09 Oct 2023 19:02:38 -0700 (PDT) X-Spam-Level: *** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779332138739154546 X-GMAIL-MSGID: 1779332138739154546 This extracts two helpers for reuse in subsequent additions. No functional change intended, just a prep work. Signed-off-by: Hengqi Chen --- kernel/seccomp.c | 76 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 255999ba9190..37490497f687 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -640,14 +640,14 @@ static inline void seccomp_sync_threads(unsigned long flags) } /** - * seccomp_prepare_filter: Prepares a seccomp filter for use. - * @fprog: BPF program to install + * seccomp_prepare_prog - prepares a JITed BPF filter for use. + * @pfp: the unattached filter that is created + * @fprog: the filter program * - * Returns filter on success or an ERR_PTR on failure. + * Returns 0 on success and non-zero otherwise. */ -static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) +static int seccomp_prepare_prog(struct bpf_prog **pfp, struct sock_fprog *fprog) { - struct seccomp_filter *sfilter; int ret; const bool save_orig = #if defined(CONFIG_CHECKPOINT_RESTORE) || defined(SECCOMP_ARCH_NATIVE) @@ -657,10 +657,28 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) #endif if (fprog->len == 0 || fprog->len > BPF_MAXINSNS) - return ERR_PTR(-EINVAL); + return -EINVAL; BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter)); + ret = bpf_prog_create_from_user(pfp, fprog, seccomp_check_filter, save_orig); + if (ret < 0) + return ret; + + return 0; +} + +/** + * seccomp_prepare_filter: Prepares a seccomp filter for use. + * @fprog: BPF program to install + * + * Returns filter on success or an ERR_PTR on failure. + */ +static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) +{ + struct seccomp_filter *sfilter; + int ret; + /* * Installing a seccomp filter requires that the task has * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. @@ -677,8 +695,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) return ERR_PTR(-ENOMEM); mutex_init(&sfilter->notify_lock); - ret = bpf_prog_create_from_user(&sfilter->prog, fprog, - seccomp_check_filter, save_orig); + ret = seccomp_prepare_prog(&sfilter->prog, fprog); if (ret < 0) { kfree(sfilter); return ERR_PTR(ret); @@ -692,31 +709,46 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) } /** - * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog + * seccomp_copy_user_filter - copies a user-supplied sock_fprog * @user_filter: pointer to the user data containing a sock_fprog. + * @fprog: pointer to store the copied BPF program * * Returns 0 on success and non-zero otherwise. */ -static struct seccomp_filter * -seccomp_prepare_user_filter(const char __user *user_filter) +static int seccomp_copy_user_filter(const char __user *user_filter, struct sock_fprog *fprog) { - struct sock_fprog fprog; - struct seccomp_filter *filter = ERR_PTR(-EFAULT); - #ifdef CONFIG_COMPAT if (in_compat_syscall()) { struct compat_sock_fprog fprog32; if (copy_from_user(&fprog32, user_filter, sizeof(fprog32))) - goto out; - fprog.len = fprog32.len; - fprog.filter = compat_ptr(fprog32.filter); + return -EFAULT; + fprog->len = fprog32.len; + fprog->filter = compat_ptr(fprog32.filter); } else /* falls through to the if below. */ #endif - if (copy_from_user(&fprog, user_filter, sizeof(fprog))) - goto out; - filter = seccomp_prepare_filter(&fprog); -out: - return filter; + if (copy_from_user(fprog, user_filter, sizeof(*fprog))) + return -EFAULT; + + return 0; +} + +/** + * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog + * @user_filter: pointer to the user data containing a sock_fprog. + * + * Returns filter on success or an ERR_PTR on failure. + */ +static struct seccomp_filter * +seccomp_prepare_user_filter(const char __user *user_filter) +{ + struct sock_fprog fprog; + int ret; + + ret = seccomp_copy_user_filter(user_filter, &fprog); + if (ret) + return ERR_PTR(ret); + + return seccomp_prepare_filter(&fprog); } #ifdef SECCOMP_ARCH_NATIVE From patchwork Mon Oct 9 12:40:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 150443 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2228200vqo; Mon, 9 Oct 2023 19:03:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHH8bl+ioNoaFuR+taiFF+tpkMmKFMAQ52YF/0HoJHxynqlSabQ2glOa1lwPLGFm5yxhZIV X-Received: by 2002:a9d:7490:0:b0:6be:fd1c:c228 with SMTP id t16-20020a9d7490000000b006befd1cc228mr15664581otk.1.1696903386159; Mon, 09 Oct 2023 19:03:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696903386; cv=none; d=google.com; s=arc-20160816; b=pM7W0n0mf6P8O7gn/6aNB/JRHzgsTnwo2WVqAqzZ2gghnPd+4CxIALngNAHVfZm9QH mL7UuziT8wJE1mAN3tKj5nfweqfPk2bdcBdoHZAKzrvvRrXJB2Hc8MjHdfzQMdkCoizU qcU5zZtjrdLJsiQr41KHqg4UM+FaXgfWFoSw+FLLpoxIfIYhx7FGowuIL1qtQy2sHIRJ bVoV55P6Qkv0KNyLALc05Qu1Vm/ViGvn54esaKaaEPhR6EannKt4PmRjfuTI6elJE/AO uMIOSe+5WGwrwcIEJDduYFn6LCi9xcWZlivHfuVNSK243XJLnpxywBQQwHwU3iEegCQg kk+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; fh=UUVBB6hdZtgkdevQaSWXrPPcR6FiQNJo3IQxWCli3s0=; b=xOc0pU4G2ZYc5wOa1IjoVm6gVt2edglV9Hckvb2a+6PaoRqBUQxWEDopyPmpQ72+oV weCMItkhjMyNDrGGFxU8Q3aMVAZ7z9hTEDIRJTUS7M47HavXeiosHZ1kulNCRQQQodQ9 YDqYPVc2zEWCgDIDMckJ48WAHqmnyNVsoIZbDHUVnzkTLgvdrOHLo9LoMiSeO18UnjPs +54klIv9BterpZLzaRcIypfr+ey85gFJQr8QVx1j9hdi9l2FI3zIgNrwCNFZF83NRY62 VuYRjtf+pN/1rI2eFyhxr8KyQ643JqX/Qy1Np6hAX/uTHfUGfP7A9FSM7+iDCBkh1QNU IL9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VkNA4XiJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id c5-20020a6566c5000000b00578b93b1b26si10944930pgw.544.2023.10.09.19.03.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:03:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VkNA4XiJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id DE1D58029501; Mon, 9 Oct 2023 19:03:03 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1441839AbjJJCCd (ORCPT + 20 others); Mon, 9 Oct 2023 22:02:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1441832AbjJJCCb (ORCPT ); Mon, 9 Oct 2023 22:02:31 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66C9FC4; Mon, 9 Oct 2023 19:02:28 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-68bed2c786eso3754521b3a.0; Mon, 09 Oct 2023 19:02:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696903347; x=1697508147; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; b=VkNA4XiJCcYgdEC+Ky7EqMyfww1g5Sblz3/KxOvRVW+/HCI7n8YcHO2bLqF7O2lAvn sV7/UBqJZ5Ds/z6RQAiGIfIQ9V2Gwbzkg9Pmu36eZLl6bMxlWd50EhQLSiTamSyu9jZe YF8Fs6Z0G3lwKvncVe7l7NhdhenkpK2mK2p3n/N6k0A25uRokp0uGseUFjKZnB8Mc6Ud aGLwPWQTYlLThMNqDru89H7Cscbyjpz/g25JSsYgXKLdMZIcZTu2ixjxClJvCq8L6gkm 52QYmn8fC7SYwb+bdw2aRbXpqWwwFuddFEV9wel1gAzWrG9KMxwJ9SEZ4l0AOnj9T9s1 hnug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696903347; x=1697508147; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8MoH5lgYSa4yL07ZT7yepVJBaBTQBgOgS38SCCkBf/E=; b=CpvTlZxNxjxZvOeOxjNOAz9nwv0sHEWBumxri9DbgMKvMPlTYgpQGx/xT9rpouMlJY QWS8X5Mo6rcnnz6OeWUBbyV02a1Dv2SomhXznAo9yUkzroNS8sXfg3JRur8+TcfM988I F3S04I8B0UOnVf9XbzwtEWtriwC6zMQOOT9WHJZUelrNbKn669/Ywv7VvrMEr3gpEu0s Zp7ndTHXa6pnWI0GviPHz/kpZ8XHLrRB4i0zHlqaymxGDw+xswjd7+H5c9GXsm2UxRV1 f2gtIYoMMO0OHPgpLwwzAecOLHMgJL5dNH5nxyGJroXANqu2DzJu0F+KbRer09O4K32N H5ug== X-Gm-Message-State: AOJu0YyP/EbMAvDV1V4InvfBBUyC9XYO5uFcJHpnY28Kcigd0o+7yKbc mrKHRArq1jqo80Z4LK37dE23XJU+xE0a1g== X-Received: by 2002:a05:6a20:cea8:b0:171:878f:8f9b with SMTP id if40-20020a056a20cea800b00171878f8f9bmr1060823pzb.26.1696903347428; Mon, 09 Oct 2023 19:02:27 -0700 (PDT) Received: from ubuntu.. ([43.132.98.112]) by smtp.googlemail.com with ESMTPSA id t28-20020aa7939c000000b0068a46cd4120sm7044809pfe.199.2023.10.09.19.02.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:27 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH 2/4] seccomp, bpf: Introduce SECCOMP_LOAD_FILTER operation Date: Mon, 9 Oct 2023 12:40:44 +0000 Message-Id: <20231009124046.74710-3-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231009124046.74710-1-hengqi.chen@gmail.com> References: <20231009124046.74710-1-hengqi.chen@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 09 Oct 2023 19:03:03 -0700 (PDT) X-Spam-Level: *** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779332165423743116 X-GMAIL-MSGID: 1779332165423743116 This patch adds a new operation named SECCOMP_LOAD_FILTER. It accepts the same arguments as SECCOMP_SET_MODE_FILTER but only performs the loading process. If succeed, return a new fd associated with the JITed BPF program (the filter). The filter can then be pinned to bpffs using the returned fd and reused for different processes. To distinguish the filter from other BPF progs, BPF_PROG_TYPE_SECCOMP is added. Signed-off-by: Hengqi Chen --- include/uapi/linux/bpf.h | 1 + include/uapi/linux/seccomp.h | 1 + kernel/seccomp.c | 40 ++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 70bfa997e896..8890fb776bbb 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -995,6 +995,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_SK_LOOKUP, BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */ BPF_PROG_TYPE_NETFILTER, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index dbfc9b37fcae..ee2c83697810 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -16,6 +16,7 @@ #define SECCOMP_SET_MODE_FILTER 1 #define SECCOMP_GET_ACTION_AVAIL 2 #define SECCOMP_GET_NOTIF_SIZES 3 +#define SECCOMP_LOAD_FILTER 4 /* Valid flags for SECCOMP_SET_MODE_FILTER */ #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 37490497f687..3ae43db3b642 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2028,12 +2028,47 @@ static long seccomp_set_mode_filter(unsigned int flags, seccomp_filter_free(prepared); return ret; } + +static long seccomp_load_filter(const char __user *filter) +{ + struct sock_fprog fprog; + struct bpf_prog *prog; + int ret; + + ret = seccomp_copy_user_filter(filter, &fprog); + if (ret) + return ret; + + ret = seccomp_prepare_prog(&prog, &fprog); + if (ret) + return ret; + + ret = security_bpf_prog_alloc(prog->aux); + if (ret) { + bpf_prog_free(prog); + return ret; + } + + prog->aux->user = get_current_user(); + atomic64_set(&prog->aux->refcnt, 1); + prog->type = BPF_PROG_TYPE_SECCOMP; + + ret = bpf_prog_new_fd(prog); + if (ret < 0) + bpf_prog_put(prog); + return ret; +} #else static inline long seccomp_set_mode_filter(unsigned int flags, const char __user *filter) { return -EINVAL; } + +static inline long seccomp_load_filter(const char __user *filter) +{ + return -EINVAL; +} #endif static long seccomp_get_action_avail(const char __user *uaction) @@ -2095,6 +2130,11 @@ static long do_seccomp(unsigned int op, unsigned int flags, return -EINVAL; return seccomp_get_notif_sizes(uargs); + case SECCOMP_LOAD_FILTER: + if (flags != 0) + return -EINVAL; + + return seccomp_load_filter(uargs); default: return -EINVAL; } From patchwork Mon Oct 9 12:40:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 150442 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2228190vqo; Mon, 9 Oct 2023 19:03:04 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHNWOt652gr7S1IA6/MaTGE3IetatsoCXP7PvsEttKDHlUUHeZ0EEKfglTavTeoHpbDuC7M X-Received: by 2002:a05:6e02:2189:b0:34f:35e8:5098 with SMTP id j9-20020a056e02218900b0034f35e85098mr21561191ila.20.1696903384409; Mon, 09 Oct 2023 19:03:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696903384; cv=none; d=google.com; s=arc-20160816; b=CXG7mwCan4d5lkiHvnZEijeJ2Yp1ZN30yqHHuzzaI9zRGY5Lc6m/J9gGRQDv522gTh XH4nwyLDOpIG4HZjftDOaUbRQH1WqyTqmHWgKg/ZKbh4b2K+W12aIlrL/L2WLBDAN2f/ HBZeEnhdjumbUo0KLhyYt5xJH1LQj4IIQspjTqCcKDiKh20vBw+IKEPzjKp0R04gfK/Z 79Iy/hbcwEnWjwHsZmOQTcfYdJOcj5aRoG9AACRNzVPd0Na4J+M1t4qD4r3njiHomJY4 JIvHfgy2/kfy5/zFehgHRcgVLkk6xy+b11F0kSMx9ExLP+SSaHR1kvXDQUygkFiq66yG 8Jyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=hd0Jd8fTbfkR1Wny5FqeiXspnLvfaqfYN+8ZoWdzer8=; fh=UUVBB6hdZtgkdevQaSWXrPPcR6FiQNJo3IQxWCli3s0=; b=CQQs9PQuyfANfJja+83wF272I6Di7UjBSygnbTiIVd5UsLunE1UQommvQbzYdoqZkz tbQxw8aU7Cn0LXR5r/gx2Pc4bqxb3QECHmx3KAzw3qjG0mP9XF+L2mACGnyUG1RHEfPi lxeD/KPhUVZYLtDd+YYTY4ktpPw+DU5n3FlTY6Io6RQWRo9kXmZR0sXxOoyHeDpZalE/ kct0FXahF8BNAYmOCh1gQhzX+VltU0VwVOy2cnoRTri+L0Z8GMPcA3CaoL0876rVYLW2 q/O2jyhmGDZ2vYKron/rDfwZWOuErRAeonX2/liJNnui6Bre0sUJE/RAzeGd+zFHiJbs VGbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Zsk2prxx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id az1-20020a056a02004100b00578e21ee4a0si620765pgb.174.2023.10.09.19.03.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:03:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Zsk2prxx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 393CC81EA5EA; Mon, 9 Oct 2023 19:03:02 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1441824AbjJJCCj (ORCPT + 20 others); Mon, 9 Oct 2023 22:02:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37576 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1441821AbjJJCCg (ORCPT ); Mon, 9 Oct 2023 22:02:36 -0400 Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92E6A8F; Mon, 9 Oct 2023 19:02:34 -0700 (PDT) Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-1dcfe9cd337so2543082fac.2; Mon, 09 Oct 2023 19:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696903353; x=1697508153; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hd0Jd8fTbfkR1Wny5FqeiXspnLvfaqfYN+8ZoWdzer8=; b=Zsk2prxxot7oIGdcv3NB4/x50HPhIfAhtKsh7rCXcxN98zhuLALVW2w4YgOHPX0+lj 3OeYEMhijcCvpm5ESii97grFFGxE0I0RbQ+k5L0VrFi5YsTwUAIo6XVsqaeY6+IfQ7dB NNS0aQtSeZEf0jFMM1olGw8ShYKvcr+ZQ2zAenoQsN+8XiXqrhrmQ32tVdUgG7I9RshN qjDEgSxDf9OUz5bw7/3OfwcfmRlA3M4DYAhYfSUjKeAtvgxgcfcVC3ny4haeUagPWF7i tZHMoutZkrPmMsHbzDJbQ2SPx6I7YItVYIdLxOkm+efIm55bnTXRlEcW64/0lWOjmdFU 3jRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696903353; x=1697508153; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hd0Jd8fTbfkR1Wny5FqeiXspnLvfaqfYN+8ZoWdzer8=; b=c9uHg0LpDaO4jCg/lQvvawiOpyWNjwxe65V4bMrEMB+Vw3UwNEzqXJm0h7Ou/kAH56 iykRVX/PaUD3nM9FBNiM2uQWP4QLSJybEHW3dYbWp9ebu78zZcUrQ+cg08eDvvDjKQ22 qn10mavLsC8GWyr/AmqjSHRr4+H1+Z+idXEVnDPZ9XhbzhQhzWdWMYcFJ7wIYVhyYg42 WangoX76uTKEyCeJXhrcroB5+ACBpaPwjDgyJjrCmreAxs6EvZA1W3gZ5tUGvqQX82Ms q55Tjt4eSOYJAqo1IQEeuyEdAQnEnPDnXBubK/O4Tbr2SEUi1OzyxkH8jK58OdcCKLRY BbPw== X-Gm-Message-State: AOJu0YxAnW9gICbGHoyXRBSBL8uDYnJlH/M/91KyI9/NNoNYy/IcguMf MN53ZwgWmjYJh2HN1eGoJNkVywlsTdqtTQ== X-Received: by 2002:a05:6870:c0c5:b0:1e0:eb36:a7ed with SMTP id e5-20020a056870c0c500b001e0eb36a7edmr16247567oad.29.1696903353597; Mon, 09 Oct 2023 19:02:33 -0700 (PDT) Received: from ubuntu.. ([43.132.98.112]) by smtp.googlemail.com with ESMTPSA id t28-20020aa7939c000000b0068a46cd4120sm7044809pfe.199.2023.10.09.19.02.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:33 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH 3/4] seccomp: Introduce SECCOMP_ATTACH_FILTER operation Date: Mon, 9 Oct 2023 12:40:45 +0000 Message-Id: <20231009124046.74710-4-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231009124046.74710-1-hengqi.chen@gmail.com> References: <20231009124046.74710-1-hengqi.chen@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 09 Oct 2023 19:03:02 -0700 (PDT) X-Spam-Level: *** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779332163116438459 X-GMAIL-MSGID: 1779332163116438459 The SECCOMP_ATTACH_FILTER operation is used to attach a loaded filter to the current process. The loaded filter is represented by a fd which is either returned by the SECCOMP_LOAD_FILTER operation or obtained from bpffs using bpf syscall. Signed-off-by: Hengqi Chen --- include/uapi/linux/seccomp.h | 1 + kernel/seccomp.c | 68 +++++++++++++++++++++++++++++++++--- 2 files changed, 64 insertions(+), 5 deletions(-) diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index ee2c83697810..fbe30262fdfc 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -17,6 +17,7 @@ #define SECCOMP_GET_ACTION_AVAIL 2 #define SECCOMP_GET_NOTIF_SIZES 3 #define SECCOMP_LOAD_FILTER 4 +#define SECCOMP_ATTACH_FILTER 5 /* Valid flags for SECCOMP_SET_MODE_FILTER */ #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 3ae43db3b642..9f9d8a7a1d6e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -523,7 +523,10 @@ static inline pid_t seccomp_can_sync_threads(void) static inline void seccomp_filter_free(struct seccomp_filter *filter) { if (filter) { - bpf_prog_destroy(filter->prog); + if (filter->prog->type == BPF_PROG_TYPE_SECCOMP) + bpf_prog_put(filter->prog); + else + bpf_prog_destroy(filter->prog); kfree(filter); } } @@ -894,7 +897,7 @@ static void seccomp_cache_prepare(struct seccomp_filter *sfilter) #endif /* SECCOMP_ARCH_NATIVE */ /** - * seccomp_attach_filter: validate and attach filter + * seccomp_do_attach_filter: validate and attach filter * @flags: flags to change filter behavior * @filter: seccomp filter to add to the current process * @@ -905,8 +908,8 @@ static void seccomp_cache_prepare(struct seccomp_filter *sfilter) * seccomp mode or did not have an ancestral seccomp filter * - in NEW_LISTENER mode: the fd of the new listener */ -static long seccomp_attach_filter(unsigned int flags, - struct seccomp_filter *filter) +static long seccomp_do_attach_filter(unsigned int flags, + struct seccomp_filter *filter) { unsigned long total_insns; struct seccomp_filter *walker; @@ -2001,7 +2004,7 @@ static long seccomp_set_mode_filter(unsigned int flags, goto out; } - ret = seccomp_attach_filter(flags, prepared); + ret = seccomp_do_attach_filter(flags, prepared); if (ret) goto out; /* Do not free the successfully attached filter. */ @@ -2058,6 +2061,51 @@ static long seccomp_load_filter(const char __user *filter) bpf_prog_put(prog); return ret; } + +static long seccomp_attach_filter(const char __user *ufd) +{ + const unsigned long seccomp_mode = SECCOMP_MODE_FILTER; + struct seccomp_filter *sfilter; + struct bpf_prog *prog; + int flags = 0; + int fd, ret; + + if (copy_from_user(&fd, ufd, sizeof(fd))) + return -EFAULT; + + prog = bpf_prog_get_type(fd, BPF_PROG_TYPE_SECCOMP); + if (IS_ERR(prog)) + return PTR_ERR(prog); + + sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); + if (!sfilter) { + bpf_prog_put(prog); + return -ENOMEM; + } + + sfilter->prog = prog; + refcount_set(&sfilter->refs, 1); + refcount_set(&sfilter->users, 1); + mutex_init(&sfilter->notify_lock); + init_waitqueue_head(&sfilter->wqh); + + spin_lock_irq(¤t->sighand->siglock); + + ret = -EINVAL; + if (!seccomp_may_assign_mode(seccomp_mode)) + goto out; + + ret = seccomp_do_attach_filter(flags, sfilter); + if (ret) + goto out; + + sfilter = NULL; + seccomp_assign_mode(current, seccomp_mode, flags); +out: + spin_unlock_irq(¤t->sighand->siglock); + seccomp_filter_free(sfilter); + return ret; +} #else static inline long seccomp_set_mode_filter(unsigned int flags, const char __user *filter) @@ -2069,6 +2117,11 @@ static inline long seccomp_load_filter(const char __user *filter) { return -EINVAL; } + +static inline long seccomp_attach_filter(const char __user *ufd) +{ + return -EINVAL; +} #endif static long seccomp_get_action_avail(const char __user *uaction) @@ -2135,6 +2188,11 @@ static long do_seccomp(unsigned int op, unsigned int flags, return -EINVAL; return seccomp_load_filter(uargs); + case SECCOMP_ATTACH_FILTER: + if (flags != 0) + return -EINVAL; + + return seccomp_attach_filter(uargs); default: return -EINVAL; } From patchwork Mon Oct 9 12:40:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 150444 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a888:0:b0:403:3b70:6f57 with SMTP id x8csp2228239vqo; Mon, 9 Oct 2023 19:03:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHu/d/dSNg0zZc82mUc86K9dgpixK8obZT7IJW2cQVnU9L33iFNpVyAXZAaBwbCTKXxCQID X-Received: by 2002:a05:6e02:2143:b0:351:4b68:ec3b with SMTP id d3-20020a056e02214300b003514b68ec3bmr23200028ilv.10.1696903391697; Mon, 09 Oct 2023 19:03:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696903391; cv=none; d=google.com; s=arc-20160816; b=I84mML5MTGBWwSAtgNUhPT0jUEHDXpe91Y5qk6InY39QTFqoPSr/E/ZHqcthBqc6/C V5DCWhxEZE+FOyibSE2N9aeBazrCQkOUsCWAci96Xf3/u2wBErUFozkp3qwJMBLq1kWr k4F48Rvpt5PpZRpCJ21d5iBRcFToX9yjHG+KnDcMoIkMdHlMnbn0Tl3BPX5FgSn/sbjN K0axKQH9IBrPaHvOCooJ1VrPDF53EpqHig3PjPIzOXrnIDDiPxqbbcTQA10+uL/Dq+N5 cAUYANDWw8C4qujZ/U7jZs7/EIavCmZwC8aho208PPPCVH2pouIhBziSgRZJL940LX3f kxnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=WtdXd8zzfUQBn/Ye5tSm8UdJuve0zGYoqRvrat58Hz4=; fh=UUVBB6hdZtgkdevQaSWXrPPcR6FiQNJo3IQxWCli3s0=; b=MJMtpbU7jIEkIvoZoaHQAaymJW2hOnKOD4T8IqAaR97EPrR4kjR+XlNt2olS7AMqTZ 7NDNvGekweMqpaL34wAT77aSvbaUcFgdvyGpfHERcC40EUWEbKHO887mI5kNZo59ENCn fAQBJEhfWnd86IjoMg0c+L3FJI0uaE2Osq5lI6IeftnfMwyHV1w7E8+RQZFGy+8jO7we oRgI14+e7wYduQkOwFNfED9T/0Rzfn6HhOsCVozoaJ47wfvKLACEN33pBJL827a3l7Xx qRh52dUHBoAYPMCLxSzjjF9gmM6VtogDDO8K/1KUpihCSQ5F8s0d89lOYs1tuDPDXyEk VaJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YfDFt3MU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id a70-20020a639049000000b00588fe3d83b3si10843331pge.408.2023.10.09.19.03.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:03:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YfDFt3MU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 0F2B281EA5EA; Mon, 9 Oct 2023 19:03:08 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379381AbjJJCCv (ORCPT + 20 others); Mon, 9 Oct 2023 22:02:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379396AbjJJCCp (ORCPT ); Mon, 9 Oct 2023 22:02:45 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA13FD7; Mon, 9 Oct 2023 19:02:41 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-692b2bdfce9so4605182b3a.3; Mon, 09 Oct 2023 19:02:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696903361; x=1697508161; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WtdXd8zzfUQBn/Ye5tSm8UdJuve0zGYoqRvrat58Hz4=; b=YfDFt3MUbqGgM/HZkE2Z0BZgFPz4kxIntfVYoquRfJYLracZLwXn07A04W9v4+ckGR mzUZQmMdivzFvfdFTRvMaWVf5rLsoXu6UAmhhUzJpBI3xm2Tr0q4jKvggb6E7tXVWV1G HRLcABEPJUld8TujAJNhhkVYbxc3XziO21zCwwNV0ZOHwe8WW5wIK3bp8SKt7k9nmRji ZF+gzl3KBkjyXGSVmsudoQi2Nvje5Nydc0MOYvVpZgbZPdcKxXGKLyyPp7yMTrZt9WTF a7XGLEkv/lbL9+iJ4+1MLbsqT/RubTpOUEsOezmxrlMkRFwNZGOg9ewAS4q/nWfskEX0 tLtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696903361; x=1697508161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WtdXd8zzfUQBn/Ye5tSm8UdJuve0zGYoqRvrat58Hz4=; b=PUtOR1Bm7vaIcsblnY6/bXIgcT6jg16MKZhazdHLjXYsP5/52cHNpPCVLd9dzrFxN4 Qk+CfF0LwJj447g0efMEUxKeHzSPXdFNSvoWMU6peFpjAoSxxREoczYu3/fiIgxlKCmc zuUHuTRcQbplQ42QkB6fwaeHwDtvtVZyF0S2imfS4gdQBV9PSpwypTPPiRACHHmp4xnY Rt/5PE/jfZoHlr/WlEUSqgHLKpKzGTzOh3A3tSm1KoEwmQNwe/on+zNDCU/6iG0UYJw3 QM6AcG1OfXwUWxlCFxdn3kFyLnaL98Sxr+mBaSnjpl2vL82A1DDSAZZz39J97Ej0W6ZV FCrQ== X-Gm-Message-State: AOJu0YwyM5chVCeZ/NhucUr6UhLTvcQrJvAr18hNwpo32L0sIzjj0GjA yAJxT5kDV3eEDJo5EEVekxbqXlSruMcgyg== X-Received: by 2002:a05:6a00:2405:b0:68f:cd71:45d5 with SMTP id z5-20020a056a00240500b0068fcd7145d5mr19253361pfh.3.1696903361038; Mon, 09 Oct 2023 19:02:41 -0700 (PDT) Received: from ubuntu.. ([43.132.98.112]) by smtp.googlemail.com with ESMTPSA id t28-20020aa7939c000000b0068a46cd4120sm7044809pfe.199.2023.10.09.19.02.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 19:02:40 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH 4/4] selftests/seccomp: Test SECCOMP_LOAD_FILTER and SECCOMP_ATTACH_FILTER Date: Mon, 9 Oct 2023 12:40:46 +0000 Message-Id: <20231009124046.74710-5-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231009124046.74710-1-hengqi.chen@gmail.com> References: <20231009124046.74710-1-hengqi.chen@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=3.8 required=5.0 tests=DATE_IN_PAST_12_24,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 09 Oct 2023 19:03:08 -0700 (PDT) X-Spam-Level: *** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779332170473009503 X-GMAIL-MSGID: 1779332170473009503 Add a testcase to exercise the newly added SECCOMP_LOAD_FILTER and SECCOMP_ATTACH_FILTER operations. Signed-off-by: Hengqi Chen --- tools/testing/selftests/seccomp/seccomp_bpf.c | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 38f651469968..8f7010482194 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -4735,6 +4735,26 @@ TEST(user_notification_wait_killable_fatal) EXPECT_EQ(SIGTERM, WTERMSIG(status)); } +TEST(seccomp_filter_load_and_attach) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + int fd, ret; + + fd = seccomp(SECCOMP_LOAD_FILTER, 0, &prog); + ASSERT_GT(fd, -1); + + ret = seccomp(SECCOMP_ATTACH_FILTER, 0, &fd); + ASSERT_EQ(ret, 0); + + close(fd); +} + /* * TODO: * - expand NNP testing