2023-10-16 01:47:45

by Hengqi Chen

[permalink] [raw]
Subject: [PATCH v2 1/5] seccomp: Refactor filter copy/create for reuse

This extracts two helpers for reuse in subsequent additions.
No functional change intended, just a prep work.

Signed-off-by: Hengqi Chen <[email protected]>
---
kernel/seccomp.c | 90 +++++++++++++++++++++++++++++++++---------------
1 file changed, 63 insertions(+), 27 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 255999ba9190..faf84fc892eb 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -640,14 +640,14 @@ static inline void seccomp_sync_threads(unsigned long flags)
}

/**
- * seccomp_prepare_filter: Prepares a seccomp filter for use.
- * @fprog: BPF program to install
+ * seccomp_prepare_prog - prepares a JITed BPF filter for use.
+ * @pfp: the unattached filter that is created
+ * @fprog: the filter program
*
- * Returns filter on success or an ERR_PTR on failure.
+ * Returns 0 on success and non-zero otherwise.
*/
-static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
+static int seccomp_prepare_prog(struct bpf_prog **pfp, struct sock_fprog *fprog)
{
- struct seccomp_filter *sfilter;
int ret;
const bool save_orig =
#if defined(CONFIG_CHECKPOINT_RESTORE) || defined(SECCOMP_ARCH_NATIVE)
@@ -657,10 +657,27 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
#endif

if (fprog->len == 0 || fprog->len > BPF_MAXINSNS)
- return ERR_PTR(-EINVAL);
+ return -EINVAL;

BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter));

+ ret = bpf_prog_create_from_user(pfp, fprog, seccomp_check_filter, save_orig);
+ if (ret < 0)
+ return ret;
+
+ return 0;
+}
+
+/**
+ * seccomp_prepare_filter: Prepares a seccomp filter for use.
+ * @prog: BPF program to install
+ *
+ * Returns filter on success or an ERR_PTR on failure.
+ */
+static struct seccomp_filter *seccomp_prepare_filter(struct bpf_prog *prog)
+{
+ struct seccomp_filter *sfilter;
+
/*
* Installing a seccomp filter requires that the task has
* CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
@@ -677,13 +694,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
return ERR_PTR(-ENOMEM);

mutex_init(&sfilter->notify_lock);
- ret = bpf_prog_create_from_user(&sfilter->prog, fprog,
- seccomp_check_filter, save_orig);
- if (ret < 0) {
- kfree(sfilter);
- return ERR_PTR(ret);
- }
-
+ sfilter->prog = prog;
refcount_set(&sfilter->refs, 1);
refcount_set(&sfilter->users, 1);
init_waitqueue_head(&sfilter->wqh);
@@ -692,31 +703,56 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
}

/**
- * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog
+ * seccomp_copy_user_filter - copies a user-supplied sock_fprog
* @user_filter: pointer to the user data containing a sock_fprog.
+ * @fprog: pointer to store the copied BPF program
*
* Returns 0 on success and non-zero otherwise.
*/
-static struct seccomp_filter *
-seccomp_prepare_user_filter(const char __user *user_filter)
+static int seccomp_copy_user_filter(const char __user *user_filter, struct sock_fprog *fprog)
{
- struct sock_fprog fprog;
- struct seccomp_filter *filter = ERR_PTR(-EFAULT);
-
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
struct compat_sock_fprog fprog32;
if (copy_from_user(&fprog32, user_filter, sizeof(fprog32)))
- goto out;
- fprog.len = fprog32.len;
- fprog.filter = compat_ptr(fprog32.filter);
+ return -EFAULT;
+ fprog->len = fprog32.len;
+ fprog->filter = compat_ptr(fprog32.filter);
} else /* falls through to the if below. */
#endif
- if (copy_from_user(&fprog, user_filter, sizeof(fprog)))
- goto out;
- filter = seccomp_prepare_filter(&fprog);
-out:
- return filter;
+ if (copy_from_user(fprog, user_filter, sizeof(*fprog)))
+ return -EFAULT;
+
+ return 0;
+}
+
+/**
+ * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog
+ * @user_filter: pointer to the user data containing a sock_fprog.
+ *
+ * Returns filter on success or an ERR_PTR on failure.
+ */
+static struct seccomp_filter *
+seccomp_prepare_user_filter(const char __user *user_filter)
+{
+ struct seccomp_filter *sfilter;
+ struct sock_fprog fprog;
+ struct bpf_prog *prog;
+ int ret;
+
+ ret = seccomp_copy_user_filter(user_filter, &fprog);
+ if (ret)
+ return ERR_PTR(ret);
+
+ ret = seccomp_prepare_prog(&prog, &fprog);
+ if (ret)
+ return ERR_PTR(ret);
+
+ sfilter = seccomp_prepare_filter(prog);
+ if (IS_ERR(sfilter))
+ bpf_prog_destroy(prog);
+
+ return sfilter;
}

#ifdef SECCOMP_ARCH_NATIVE
--
2.34.1