sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W

Introduces a new BPF ancillary instruction that all LD calls will be
mapped through when skb_run_filter() is being used for seccomp BPF.  The
rewriting will be done using a secondary chk_filter function that is run
after skb_chk_filter.

The code change is guarded by CONFIG_SECCOMP_FILTER which is added,
along with the seccomp_bpf_load() function later in this series.

This is based on http://lkml.org/lkml/2012/3/2/141

Suggested-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Paris <eparis@redhat.com>

v18: rebase
...
v15: include seccomp.h explicitly for when seccomp_bpf_load exists.
v14: First cut using a single additional instruction
... v13: made bpf functions generic.
Signed-off-by: James Morris <james.l.morris@oracle.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/net/core/filter.c b/net/core/filter.c
index 6f755cca4520..491e2e1ec277 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -38,6 +38,7 @@
 #include <linux/filter.h>
 #include <linux/reciprocal_div.h>
 #include <linux/ratelimit.h>
+#include <linux/seccomp.h>
 
 /* No hurry in this branch
  *
@@ -352,6 +353,11 @@ load_b:
                                 A = 0;
                         continue;
                 }
+#ifdef CONFIG_SECCOMP_FILTER
+                case BPF_S_ANC_SECCOMP_LD_W:
+                        A = seccomp_bpf_load(fentry->k);
+                        continue;
+#endif
                 default:
                         WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
                                        fentry->code, fentry->jt,