On Fri, Sep 11, 2015 at 03:39:14PM +0200, Daniel Borkmann wrote:
> On 09/11/2015 02:21 AM, Tycho Andersen wrote:
> >This commit adds a way to dump eBPF programs. The initial implementation
> >doesn't support maps, and therefore only allows dumping seccomp ebpf
> >programs which themselves don't currently support maps.
> >
> >v2: don't export a prog_id for the filter
> >
> >Signed-off-by: Tycho Andersen <tycho.andersen@xxxxxxxxxxxxx>
> >CC: Kees Cook <keescook@xxxxxxxxxxxx>
> >CC: Will Drewry <wad@xxxxxxxxxxxx>
> >CC: Oleg Nesterov <oleg@xxxxxxxxxx>
> >CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> >CC: Pavel Emelyanov <xemul@xxxxxxxxxxxxx>
> >CC: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx>
> >CC: Alexei Starovoitov <ast@xxxxxxxxxx>
> >CC: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> [...]
> >diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> >index dc9b464..58ae9f4 100644
> >--- a/kernel/bpf/syscall.c
> >+++ b/kernel/bpf/syscall.c
> >@@ -586,6 +586,44 @@ free_prog:
> > return err;
> > }
> >
> >+static int bpf_prog_dump(union bpf_attr *attr, union bpf_attr __user *uattr)
> >+{
> >+ int ufd = attr->prog_fd;
> >+ struct fd f = fdget(ufd);
> >+ struct bpf_prog *prog;
> >+ int ret = -EINVAL;
> >+
> >+ prog = get_prog(f);
> >+ if (IS_ERR(prog))
> >+ return PTR_ERR(prog);
> >+
> >+ /* For now, let's refuse to dump anything that isn't a seccomp program.
> >+ * Other program types have support for maps, which our current dump
> >+ * code doesn't support.
> >+ */
> >+ if (prog->type != BPF_PROG_TYPE_SECCOMP)
> >+ goto out;
>
> Yep, also when you start adding helper calls (next to map objects) you'd
> need to undo kernel pointers that the verifier sets here.
Good point, I'll add that to the comment as well.
Tycho
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
