bpf, seccomp: prepare for upcoming criu support

The current ongoing effort to dump existing cBPF seccomp filters back to user space requires to hold the pre-transformed instructions like we do in case of socket filters from sk_attach_filter() side, so they can be reloaded in original form at a later point in time by utilities such as criu. To prepare for this, simply extend the bpf_prog_create_from_user() API to hold a flag that tells whether we should store the original or not. Also, fanout filters could make use of that in future for things like diag. While fanout filters already use bpf_prog_destroy(), move seccomp over to them as well to handle original programs when present. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Tycho Andersen <tycho.andersen@canonical.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Alexei Starovoitov <ast@plumgrid.com> Tested-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2015-10-02 09:17:33 -0400
committer: David S. Miller <davem@davemloft.net> 2015-10-05 09:47:05 -0400
commit: bab18991871545dfbd10c931eb0fe8f7637156a9 (patch)
tree: 1d561750b012be096fce1637fef60a65fbef1fa4 /net
parent: 0a15afd2eaceceff5be4c8b7166f01c1a68e9642 (diff)
2 files changed, 12 insertions, 6 deletions
diff --git a/net/core/filter.c b/net/core/filter.c
index 53a5036fb32d..da3e5357f138 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1084,16 +1084,18 @@ EXPORT_SYMBOL_GPL(bpf_prog_create);
 *      @pfp: the unattached filter that is created
 *      @fprog: the filter program
 *      @trans: post-classic verifier transformation handler
+ *      @save_orig: save classic BPF program
 *
 * This function effectively does the same as bpf_prog_create(), only
 * that it builds up its insns buffer from user space provided buffer.
 * It also allows for passing a bpf_aux_classic_check_t handler.
 */
 int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog,
-                              bpf_aux_classic_check_t trans)
+                              bpf_aux_classic_check_t trans, bool save_orig)
 {
        unsigned int fsize = bpf_classic_proglen(fprog);
        struct bpf_prog *fp;
+        int err;
        /* Make sure new filter is there and in the right amounts. */
        if (fprog->filter == NULL)
@@ -1109,12 +1111,16 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog,
        }
        fp->len = fprog->len;
-        /* Since unattached filters are not copied back to user
-         * space through sk_get_filter(), we do not need to hold
-         * a copy here, and can spare us the work.
-         */
        fp->orig_prog = NULL;
+        if (save_orig) {
+                err = bpf_prog_store_orig_filter(fp, fprog);
+                if (err) {
+                        __bpf_prog_free(fp);
+                        return -ENOMEM;
+                }
+        }
        /* bpf_prepare_filter() already takes care of freeing
         * memory in case something goes wrong.
         */
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index aa4b15c35884..81c900fbc4a4 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1567,7 +1567,7 @@ static int fanout_set_data_cbpf(struct packet_sock *po, char __user *data,
        if (copy_from_user(&fprog, data, len))
                return -EFAULT;
-        ret = bpf_prog_create_from_user(&new, &fprog, NULL);
+        ret = bpf_prog_create_from_user(&new, &fprog, NULL, false);
        if (ret)
                return ret;
author	Daniel Borkmann <daniel@iogearbox.net>	2015-10-02 09:17:33 -0400
committer	David S. Miller <davem@davemloft.net>	2015-10-05 09:47:05 -0400
commit	bab18991871545dfbd10c931eb0fe8f7637156a9 (patch)
tree	1d561750b012be096fce1637fef60a65fbef1fa4 /net
parent	0a15afd2eaceceff5be4c8b7166f01c1a68e9642 (diff)