On Wed, Dec 07, 2016 at 08:29:22PM +0300, Cyrill Gorcunov wrote:
> The vanilla kernel is quite reworked in filter management, in particular
> the filters passed into sockets or seccomp are saved in the userspace form
> as struct bpf_prog::orig_prog. We can't port all the patches right now,
> lets rather do a trick for seccomp sake and simply carry a copy inside
> struct seccomp_filter. The socket filters are decoded into userspace form
> anyway so this area is safe.
>
> https://jira.sw.ru/browse/PSBM-55593
>
> CC: Andrey Vagin <ava...@openvz.org>
> Signed-off-by: Cyrill Gorcunov <gorcu...@openvz.org>
> ---
> The patch is on top of [PATCH rh7] seccomp, ptrace: Fix typo in filter
> fetching
>
> kernel/seccomp.c | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> Index: linux-pcs7.git/kernel/seccomp.c
> ===================================================================
> --- linux-pcs7.git.orig/kernel/seccomp.c
> +++ linux-pcs7.git/kernel/seccomp.c
> @@ -54,6 +54,9 @@
> struct seccomp_filter {
> atomic_t usage;
> struct seccomp_filter *prev;
> +#if CONFIG_VE
Why do you not use CONFIG_CHECKPOINT_RESTORE here?
> + struct sock_fprog orig_prog;
> +#endif
> unsigned short len; /* Instruction count */
> struct sock_filter insns[];
> };
> @@ -265,6 +268,16 @@ static long seccomp_attach_filter(struct
> if (copy_from_user(filter->insns, fprog->filter, fp_size))
> goto fail;
>
> +#if CONFIG_VE
> + filter->orig_prog.len = fprog->len;
> + filter->orig_prog.filter = kmemdup(filter->insns, fp_size,
> + GFP_KERNEL|__GFP_NOWARN);
> + if (!filter->orig_prog.filter) {
> + ret = -ENOMEM;
> + goto fail;
> + }
> +#endif
> +
> /* Check and rewrite the fprog via the skb checker */
> ret = sk_chk_filter(filter->insns, filter->len);
> if (ret)
> @@ -283,6 +296,9 @@ static long seccomp_attach_filter(struct
> current->seccomp.filter = filter;
> return 0;
> fail:
> +#if CONFIG_VE
> + kfree(filter->orig_prog.filter);
> +#endif
> kfree(filter);
> return ret;
> }
> @@ -332,6 +348,9 @@ void put_seccomp_filter(struct task_stru
> while (orig && atomic_dec_and_test(&orig->usage)) {
> struct seccomp_filter *freeme = orig;
> orig = orig->prev;
> +#if CONFIG_VE
> + kfree(freeme->orig_prog.filter);
> +#endif
> kfree(freeme);
> }
> }
> @@ -566,8 +585,14 @@ long seccomp_get_filter(struct task_stru
> get_seccomp_filter(task);
> spin_unlock_irq(&task->sighand->siglock);
>
> +#if CONFIG_VE
> + if (copy_to_user(data, filter->orig_prog.filter,
> + filter->orig_prog.len *
> sizeof(filter->orig_prog.filter[0])))
> + ret = -EFAULT;
> +#else
> if (copy_to_user(data, filter->insns, filter->len *
> sizeof(filter->insns[0])))
> ret = -EFAULT;
> +#endif
>
> put_seccomp_filter(task);
> return ret;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
