diff options
| author | Alexei Starovoitov <ast@plumgrid.com> | 2014-05-19 17:56:14 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-05-21 17:07:17 -0400 |
| commit | 5fe821a9dee241fa450703ab7015d970ee0cfb8d (patch) | |
| tree | 4ada90ac07b074b55ffc40220d8a14fcee3f305a /kernel | |
| parent | 21ea04fa2d26906a2c8bca40891a238414111f5f (diff) | |
net: filter: cleanup invocation of internal BPF
Kernel API for classic BPF socket filters is:
sk_unattached_filter_create() - validate classic BPF, convert, JIT
SK_RUN_FILTER() - run it
sk_unattached_filter_destroy() - destroy socket filter
Cleanup internal BPF kernel API as following:
sk_filter_select_runtime() - final step of internal BPF creation.
Try to JIT internal BPF program, if JIT is not available select interpreter
SK_RUN_FILTER() - run it
sk_filter_free() - free internal BPF program
Disallow direct calls to BPF interpreter. Execution of the BPF program should
be done with SK_RUN_FILTER() macro.
Example of internal BPF create, run, destroy:
struct sk_filter *fp;
fp = kzalloc(sk_filter_size(prog_len), GFP_KERNEL);
memcpy(fp->insni, prog, prog_len * sizeof(fp->insni[0]));
fp->len = prog_len;
sk_filter_select_runtime(fp);
SK_RUN_FILTER(fp, ctx);
sk_filter_free(fp);
Sockets, seccomp, testsuite, tracing are using different ways to populate
sk_filter, so first steps of program creation are not common.
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/seccomp.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 7e02d624cc50..1036b6f2fded 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -273,10 +273,8 @@ static long seccomp_attach_filter(struct sock_fprog *fprog) | |||
| 273 | 273 | ||
| 274 | atomic_set(&filter->usage, 1); | 274 | atomic_set(&filter->usage, 1); |
| 275 | filter->prog->len = new_len; | 275 | filter->prog->len = new_len; |
| 276 | filter->prog->bpf_func = (void *)sk_run_filter_int_seccomp; | ||
| 277 | 276 | ||
| 278 | /* JIT internal BPF into native HW instructions */ | 277 | sk_filter_select_runtime(filter->prog); |
| 279 | bpf_int_jit_compile(filter->prog); | ||
| 280 | 278 | ||
| 281 | /* | 279 | /* |
| 282 | * If there is an existing filter, make it the prev and don't drop its | 280 | * If there is an existing filter, make it the prev and don't drop its |
| @@ -340,7 +338,7 @@ void put_seccomp_filter(struct task_struct *tsk) | |||
| 340 | while (orig && atomic_dec_and_test(&orig->usage)) { | 338 | while (orig && atomic_dec_and_test(&orig->usage)) { |
| 341 | struct seccomp_filter *freeme = orig; | 339 | struct seccomp_filter *freeme = orig; |
| 342 | orig = orig->prev; | 340 | orig = orig->prev; |
| 343 | bpf_jit_free(freeme->prog); | 341 | sk_filter_free(freeme->prog); |
| 344 | kfree(freeme); | 342 | kfree(freeme); |
| 345 | } | 343 | } |
| 346 | } | 344 | } |