In order to implement checkpoint of seccomp filters, we need to keep track of the original filter as the user gave it to us. Since we're doing this, we need to also use bpf_prog_destroy to free the struct bpf_brogs so we don't leak this memory. Signed-off-by: Tycho Andersen <tycho.andersen@xxxxxxxxxxxxx> CC: Kees Cook <keescook@xxxxxxxxxxxx> CC: Will Drewry <wad@xxxxxxxxxxxx> CC: Oleg Nesterov <oleg@xxxxxxxxxx> CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx> CC: Pavel Emelyanov <xemul@xxxxxxxxxxxxx> CC: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx> CC: Alexei Starovoitov <ast@xxxxxxxxxx> CC: Daniel Borkmann <daniel@xxxxxxxxxxxxx> --- include/linux/filter.h | 2 ++ kernel/seccomp.c | 24 ++++++++++++++++-------- net/core/filter.c | 4 ++-- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index fa2cab9..6c045ba 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -410,6 +410,8 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog); int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, bpf_aux_classic_check_t trans); void bpf_prog_destroy(struct bpf_prog *fp); +int bpf_prog_store_orig_filter(struct bpf_prog *fp, + const struct sock_fprog *fprog); int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk); int sk_attach_bpf(u32 ufd, struct sock *sk); diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 5bd4779..09f3769 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -337,6 +337,14 @@ static inline void seccomp_sync_threads(void) } } +static inline void seccomp_filter_free(struct seccomp_filter *filter) +{ + if (filter) { + bpf_prog_destroy(filter->prog); + kfree(filter); + } +} + /** * seccomp_prepare_filter: Prepares a seccomp filter for use. * @fprog: BPF program to install @@ -376,6 +384,14 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) return ERR_PTR(ret); } + if (config_enabled(CONFIG_CHECKPOINT_RESTORE)) { + ret = bpf_prog_store_orig_filter(sfilter->prog, fprog); + if (ret < 0) { + seccomp_filter_free(sfilter); + return ERR_PTR(ret); + } + } + atomic_set(&sfilter->usage, 1); return sfilter; @@ -466,14 +482,6 @@ void get_seccomp_filter(struct task_struct *tsk) atomic_inc(&orig->usage); } -static inline void seccomp_filter_free(struct seccomp_filter *filter) -{ - if (filter) { - bpf_prog_free(filter->prog); - kfree(filter); - } -} - /* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */ void put_seccomp_filter(struct task_struct *tsk) { diff --git a/net/core/filter.c b/net/core/filter.c index 13079f0..70995dd 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -832,8 +832,8 @@ static int bpf_check_classic(const struct sock_filter *filter, return -EINVAL; } -static int bpf_prog_store_orig_filter(struct bpf_prog *fp, - const struct sock_fprog *fprog) +int bpf_prog_store_orig_filter(struct bpf_prog *fp, + const struct sock_fprog *fprog) { unsigned int fsize = bpf_classic_proglen(fprog); struct sock_fprog_kern *fkprog; -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html