From patchwork Thu Apr 12 21:47:52 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Drewry <wad@chromium.org>
X-Patchwork-Id: 152179
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id E1498B70A5
	for <patchwork-incoming@ozlabs.org>;
	Fri, 13 Apr 2012 07:48:53 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934809Ab2DLVst (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 12 Apr 2012 17:48:49 -0400
Received: from mail-yx0-f174.google.com ([209.85.213.174]:41060 "EHLO
	mail-yx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S934812Ab2DLVsp (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 12 Apr 2012 17:48:45 -0400
Received: by mail-yx0-f174.google.com with SMTP id l12so1396138yen.19
	for <netdev@vger.kernel.org>; Thu, 12 Apr 2012 14:48:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=x5BPyDR6fkt/b4DoF3I1elK+yTh6a0MutGrGoruidao=;
	b=gf3UsOEb7MklPf/hYeqtYLmhe2JRZZUeK/pIKLJE4qyfssSyXMHkv/uAKGskEokpV5
	ZCCzXqZevmZFPU1ADs99Wg9AcdGQFXDTZ1JOrVqdh/1WTe40UZk+hgYbrz4pFPsePN6u
	E7MVMeadMAHe1smfhZtvK2jN7SkfRme1mLSus=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=x5BPyDR6fkt/b4DoF3I1elK+yTh6a0MutGrGoruidao=;
	b=BSnrDQizOi/wPX3SWhxelsT9zFQRpm1kBHzLdV4dGYZ6vlWxBZoUx7zcqhsrlT7zGo
	ZGEwa5tuVuo7AWSI+Emv2olb5vZEvCltuuK1npu7lWUG62zM3TzNZFVY2BRq4AaXJIdh
	JAGMTwe6uotNUUF7FjfFrJWtY3t6kkM1mmK1IwTFveD6ulpaLjXFH5kPaJmAvGEU3Vp8
	13Cvth+1c/SsaGK6KYL8bu8PdRbqaMFDRxwqvQ29RnYwByt3LfpoJ0XfW7x9wg82ykiV
	ecuIFQvi1gZcm9qSv8aqYucCs1KBJyaC+FXEJFovRCGgAujiB9Njrv6C0Wx2Og9FMtS/
	7RuA==
Received: by 10.236.73.169 with SMTP id v29mr3764715yhd.12.1334267324270;
	Thu, 12 Apr 2012 14:48:44 -0700 (PDT)
Received: from localhost.localdomain
	(173-164-30-65-Nashville.hfc.comcastbusiness.net. [173.164.30.65])
	by mx.google.com with ESMTPS id
	u20sm27723748yhi.10.2012.04.12.14.48.41
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 12 Apr 2012 14:48:43 -0700 (PDT)
From: Will Drewry <wad@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: linux-man@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
	kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
	x86@kernel.org, arnd@arndb.de, davem@davemloft.net, hpa@zytor.com,
	mingo@redhat.com, oleg@redhat.com, peterz@infradead.org,
	rdunlap@xenotime.net, mcgrathr@chromium.org, tglx@linutronix.de,
	luto@mit.edu, eparis@redhat.com, serge.hallyn@canonical.com,
	djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu,
	pmoore@redhat.com, akpm@linux-foundation.org, corbet@lwn.net,
	eric.dumazet@gmail.com, markus@chromium.org,
	coreyb@linux.vnet.ibm.com, keescook@chromium.org,
	jmorris@namei.org, Will Drewry <wad@chromium.org>
Subject: [PATCH v18 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
Date: Thu, 12 Apr 2012 16:47:52 -0500
Message-Id: <1334267284-19166-3-git-send-email-wad@chromium.org>
X-Mailer: git-send-email 1.7.5.4
In-Reply-To: <1334267284-19166-1-git-send-email-wad@chromium.org>
References: <1334267284-19166-1-git-send-email-wad@chromium.org>
X-Gm-Message-State: 
 ALoCoQnAu9yROWU4Ep+PM+BWnQHYSx/1QOi/9PsFH+U3rnxJJlooFX5EutCfKMcuABvRRbr0QHM7
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Introduces a new BPF ancillary instruction that all LD calls will be
mapped through when skb_run_filter() is being used for seccomp BPF.  The
rewriting will be done using a secondary chk_filter function that is run
after skb_chk_filter.

The code change is guarded by CONFIG_SECCOMP_FILTER which is added,
along with the seccomp_bpf_load() function later in this series.

This is based on http://lkml.org/lkml/2012/3/2/141

Suggested-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Paris <eparis@redhat.com>

v18: rebase
...
v15: include seccomp.h explicitly for when seccomp_bpf_load exists.
v14: First cut using a single additional instruction
... v13: made bpf functions generic.
---
 include/linux/filter.h |    1 +
 net/core/filter.c      |    6 ++++++
 2 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 8eeb205..aaa2e80 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -228,6 +228,7 @@ enum {
 	BPF_S_ANC_HATYPE,
 	BPF_S_ANC_RXHASH,
 	BPF_S_ANC_CPU,
+	BPF_S_ANC_SECCOMP_LD_W,
 };
 
 #endif /* __KERNEL__ */
diff --git a/net/core/filter.c b/net/core/filter.c
index 6f755cc..491e2e1 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -38,6 +38,7 @@
 #include <linux/filter.h>
 #include <linux/reciprocal_div.h>
 #include <linux/ratelimit.h>
+#include <linux/seccomp.h>
 
 /* No hurry in this branch
  *
@@ -352,6 +353,11 @@ load_b:
 				A = 0;
 			continue;
 		}
+#ifdef CONFIG_SECCOMP_FILTER
+		case BPF_S_ANC_SECCOMP_LD_W:
+			A = seccomp_bpf_load(fentry->k);
+			continue;
+#endif
 		default:
 			WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
 				       fentry->code, fentry->jt,