From patchwork Thu Mar 15 03:11:53 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Drewry <wad@chromium.org>
X-Patchwork-Id: 146829
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 1F769B6F6E
	for <patchwork-incoming@ozlabs.org>;
	Thu, 15 Mar 2012 14:17:28 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758401Ab2CODOQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 14 Mar 2012 23:14:16 -0400
Received: from mail-yw0-f46.google.com ([209.85.213.46]:35377 "EHLO
	mail-yw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758339Ab2CODNT (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 14 Mar 2012 23:13:19 -0400
Received: by mail-yw0-f46.google.com with SMTP id m54so2639686yhm.19
	for <netdev@vger.kernel.org>; Wed, 14 Mar 2012 20:13:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=7Rw2aKt12vJUZNsudYjUEPuBVOw5nzTrQqBwHewIUxs=;
	b=kQdmsjpaJLQ4dKGZeO4plVRYPukgBxcsuVV1WmTI9h7G0D6kIpMRkyaX+K99BxeLXV
	fPw7nN+/7ahGqEMHze7x4N5BOl7PWmSvM5b1QJAg/nxUgMPNxnM0LHD/MmsL0YPKsrp2
	JXOpxPXVSl6exKg1pWKGamNHvk+i+WGRUT4kM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=7Rw2aKt12vJUZNsudYjUEPuBVOw5nzTrQqBwHewIUxs=;
	b=UHdXxXDQGGltU33t3+56k70pcz9FEj8zDJelj99jhmK5v16mWHlpv2GNT3jUKrVTA+
	olRVAxkxeZd1NdCyv0sxweN3RjFqGDznlpRfYdE6NDXQJS+Sk9gQE/P9ebXC5Sixx+Ff
	xEarZTObayV54Jzcn44g28n3iSeP2C1AJIeRpqqdU0V6M/XX8i/Qg0a4MEyNCj+RcKX3
	PKfADSQDn4uoN2iddqQiP57UR/PcatVf8mou/H4wp8nH4enFt9IoTsQnuwOyqotQuaa2
	CmnaOlfQFJlraShmSGMGr4bwg0W0nylRGiKUQNzCH6pZ388xI5uRVkYk89Z66mG+7TfS
	QtBg==
Received: by 10.236.175.162 with SMTP id z22mr6312223yhl.119.1331781198921;
	Wed, 14 Mar 2012 20:13:18 -0700 (PDT)
Received: from localhost.localdomain
	(173-164-30-65-Nashville.hfc.comcastbusiness.net. [173.164.30.65])
	by mx.google.com with ESMTPS id
	n35sm1522518yhh.19.2012.03.14.20.13.16
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 14 Mar 2012 20:13:18 -0700 (PDT)
From: Will Drewry <wad@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
	kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
	x86@kernel.org, arnd@arndb.de, davem@davemloft.net, hpa@zytor.com,
	mingo@redhat.com, oleg@redhat.com, peterz@infradead.org,
	rdunlap@xenotime.net, mcgrathr@chromium.org, tglx@linutronix.de,
	luto@mit.edu, eparis@redhat.com, serge.hallyn@canonical.com,
	djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu,
	pmoore@redhat.com, akpm@linux-foundation.org, corbet@lwn.net,
	eric.dumazet@gmail.com, markus@chromium.org,
	coreyb@linux.vnet.ibm.com, keescook@chromium.org,
	Will Drewry <wad@chromium.org>
Subject: [PATCH v15 01/13] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
Date: Wed, 14 Mar 2012 22:11:53 -0500
Message-Id: <1331781125-15658-2-git-send-email-wad@chromium.org>
X-Mailer: git-send-email 1.7.5.4
In-Reply-To: <1331781125-15658-1-git-send-email-wad@chromium.org>
References: <1331781125-15658-1-git-send-email-wad@chromium.org>
X-Gm-Message-State: 
 ALoCoQlt8ot/fN+1FKt4Fslfd7n6Au2WiVSAZLz02HZAWbGB/C25DWxzg7J+0zgktsR6oIQB7vg0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Introduces a new BPF ancillary instruction that all LD calls will be
mapped through when skb_run_filter() is being used for seccomp BPF.  The
rewriting will be done using a secondary chk_filter function that is run
after skb_chk_filter.

The code change is guarded by CONFIG_SECCOMP_FILTER which is added,
along with the seccomp_bpf_load() function later in this series.

This is based on http://lkml.org/lkml/2012/3/2/141

v15: include seccomp.h explicitly for when seccomp_bpf_load exists.
v14: First cut using a single additional instruction
... v13: made bpf functions generic.

Suggested-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 include/linux/filter.h |    1 +
 net/core/filter.c      |    6 ++++++
 2 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 8eeb205..aaa2e80 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -228,6 +228,7 @@ enum {
 	BPF_S_ANC_HATYPE,
 	BPF_S_ANC_RXHASH,
 	BPF_S_ANC_CPU,
+	BPF_S_ANC_SECCOMP_LD_W,
 };
 
 #endif /* __KERNEL__ */
diff --git a/net/core/filter.c b/net/core/filter.c
index 5dea452..d775edc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -39,6 +39,7 @@
 #include <linux/filter.h>
 #include <linux/reciprocal_div.h>
 #include <linux/ratelimit.h>
+#include <linux/seccomp.h>
 
 /* No hurry in this branch */
 static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int size)
@@ -350,6 +351,11 @@ load_b:
 				A = 0;
 			continue;
 		}
+#ifdef CONFIG_SECCOMP_FILTER
+		case BPF_S_ANC_SECCOMP_LD_W:
+			A = seccomp_bpf_load(fentry->k);
+			continue;
+#endif
 		default:
 			WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
 				       fentry->code, fentry->jt,