net: filter: add a callback to allow classic post-verifier transformations

This is in preparation for use by the seccomp code, the rationale is not to duplicate additional code within the seccomp layer, but instead, have it abstracted and hidden within the classic BPF API. As an interim step, this now also makes bpf_prepare_filter() visible (not as exported symbol though), so that seccomp can reuse that code path instead of reimplementing it. Joint work with Daniel Borkmann. Signed-off-by: Nicolas Schichan <nschichan@freebox.fr> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Kees Cook <keescook@chromium.org> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Nicolas Schichan <nschichan@freebox.fr> 2015-05-06 10:12:27 -0400
committer: David S. Miller <davem@davemloft.net> 2015-05-09 17:35:05 -0400
commit: 4ae92bc77ac8e620f7c8d59b5882a4cb0d1c4ef1 (patch)
tree: d8a3a893390631cfaf0547929b8b89c715501b08
parent: 0e00a0f73f9c7f5e9f02d064ed0165a3aeeb2de5 (diff)
2 files changed, 21 insertions, 3 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h
index fa11b3a367be..91996247cb55 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -384,7 +384,13 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
 int sk_attach_bpf(u32 ufd, struct sock *sk);
 int sk_detach_filter(struct sock *sk);
+typedef int (*bpf_aux_classic_check_t)(struct sock_filter *filter,
+                                       unsigned int flen);
 int bpf_check_classic(const struct sock_filter *filter, unsigned int flen);
+struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp,
+                                    bpf_aux_classic_check_t trans);
 int sk_get_filter(struct sock *sk, struct sock_filter __user *filter,
                  unsigned int len);
diff --git a/net/core/filter.c b/net/core/filter.c
index bf831a85c315..e670494f1d83 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -988,7 +988,8 @@ out_err:
        return ERR_PTR(err);
 }
-static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp)
+struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp,
+                                    bpf_aux_classic_check_t trans)
 {
        int err;
@@ -1001,6 +1002,17 @@ static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp)
                return ERR_PTR(err);
        }
+        /* There might be additional checks and transformations
+         * needed on classic filters, f.e. in case of seccomp.
+         */
+        if (trans) {
+                err = trans(fp->insns, fp->len);
+                if (err) {
+                        __bpf_prog_release(fp);
+                        return ERR_PTR(err);
+                }
+        }
        /* Probe if we can JIT compile the filter and if so, do
         * the compilation of the filter.
         */
@@ -1050,7 +1062,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
        /* bpf_prepare_filter() already takes care of freeing
         * memory in case something goes wrong.
         */
-        fp = bpf_prepare_filter(fp);
+        fp = bpf_prepare_filter(fp, NULL);
        if (IS_ERR(fp))
                return PTR_ERR(fp);
@@ -1135,7 +1147,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
        /* bpf_prepare_filter() already takes care of freeing
         * memory in case something goes wrong.
         */
-        prog = bpf_prepare_filter(prog);
+        prog = bpf_prepare_filter(prog, NULL);
        if (IS_ERR(prog))
                return PTR_ERR(prog);
author	Nicolas Schichan <nschichan@freebox.fr>	2015-05-06 10:12:27 -0400
committer	David S. Miller <davem@davemloft.net>	2015-05-09 17:35:05 -0400
commit	4ae92bc77ac8e620f7c8d59b5882a4cb0d1c4ef1 (patch)
tree	d8a3a893390631cfaf0547929b8b89c715501b08
parent	0e00a0f73f9c7f5e9f02d064ed0165a3aeeb2de5 (diff)