From patchwork Fri Sep 4 16:04:20 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tycho Andersen X-Patchwork-Id: 514651 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 159911401CD for ; Sat, 5 Sep 2015 02:08:09 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760190AbbIDQHO (ORCPT ); Fri, 4 Sep 2015 12:07:14 -0400 Received: from mail-io0-f169.google.com ([209.85.223.169]:35171 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760066AbbIDQFo (ORCPT ); Fri, 4 Sep 2015 12:05:44 -0400 Received: by ioiz6 with SMTP id z6so28888847ioi.2 for ; Fri, 04 Sep 2015 09:05:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=tE47KdREcsGzBGrAQu1vpR29b3XXDoReYp0RXO6HQmA=; b=O3kzsyUfvR5B6HoVnl+VjgpB4vuHC+X2S7o061Lh1yYUF7UEnwLlV43zQNdCXFpZhR IZMEeqLx+FHDiJrz+xaydG63oxnFTNl9rg+G+n51K8H2Lx3avqI1rGN5clrlBH+01Myf ooeaJzUuk47Wc3gukJvJL7WXKpcI5HiH/Vncxw81Doq+1SyM/C3PMOjCjJ6pIJL3a2P2 p6rHnP1LfS6IVVmTWRAVqDBkuygsMui098ZfzE1gxVoyfeXalUSnutdXuUhP8wqCDaCZ AdEAb/mKqFiN2/KgkVqvtu174P8zds7RKZMFEZzaJxrcyVzUsk98dPiEVeUQkA+/Fvkj 2hRw== X-Gm-Message-State: ALoCoQk934l5l92gJng4Z6n5iOxvDfchM2/1PlbcyJkmERdB6fy2eninTuq0icPOIfCbK7oJ8FZQ X-Received: by 10.107.46.158 with SMTP id u30mr9202135iou.56.1441382743605; Fri, 04 Sep 2015 09:05:43 -0700 (PDT) Received: from smitten.gateway.2wire.net (174-29-14-181.hlrn.qwest.net. [174.29.14.181]) by smtp.gmail.com with ESMTPSA id i198sm1683340ioe.14.2015.09.04.09.05.42 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Sep 2015 09:05:43 -0700 (PDT) From: Tycho Andersen To: Kees Cook , Alexei Starovoitov Cc: Will Drewry , Oleg Nesterov , Andy Lutomirski , Pavel Emelyanov , "Serge E. Hallyn" , Daniel Borkmann , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Tycho Andersen Subject: [PATCH 2/6] seccomp: make underlying bpf ref counted as well Date: Fri, 4 Sep 2015 10:04:20 -0600 Message-Id: <1441382664-17437-3-git-send-email-tycho.andersen@canonical.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1441382664-17437-1-git-send-email-tycho.andersen@canonical.com> References: <1441382664-17437-1-git-send-email-tycho.andersen@canonical.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the next patch, we're going to add a way to access the underlying filters via bpf fds. This means that we need to ref-count both the struct seccomp_filter objects and the struct bpf_prog objects separately, in case a process dies but a filter is still referred to by another process. Additionally, we mark classic converted seccomp filters as seccomp eBPF programs, since they are a subset of what is supported in seccomp eBPF. Signed-off-by: Tycho Andersen CC: Kees Cook CC: Will Drewry CC: Oleg Nesterov CC: Andy Lutomirski CC: Pavel Emelyanov CC: Serge E. Hallyn CC: Alexei Starovoitov CC: Daniel Borkmann --- kernel/seccomp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 5bd4779..acfe1fb 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -377,6 +377,8 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) } atomic_set(&sfilter->usage, 1); + atomic_set(&sfilter->prog->aux->refcnt, 1); + sfilter->prog->type = BPF_PROG_TYPE_SECCOMP; return sfilter; } @@ -469,7 +471,7 @@ void get_seccomp_filter(struct task_struct *tsk) static inline void seccomp_filter_free(struct seccomp_filter *filter) { if (filter) { - bpf_prog_free(filter->prog); + bpf_prog_put(filter->prog); kfree(filter); } }