- fix function prototype documentation
- fix samples to include NNP setting - fix samples to avoid rule truncation - fix samples hostprogs variable in Makefile -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Kees Cook <kees@outflux.net> iQIcBAABCgAGBQJYGNR2AAoJEIly9N/cbcAmDLIP/0HeOtLuIgrL9w0ouzeJbJYP /FlF8oQXV8ONzLY/Q3F53I1U+dHD7ohIh82D0ZrSAZpYWZaPgQpPdMWSHjkLyJAb fnVIANLa94RG0AlUhC8giiHq1m3dfyTboWYWbUgjZYYpJ7w9godze9JcgdGuTZmC Fezpakf7pr5MNzQoCoA6s6JiHoKu4viYLYSOZi93FC/YgiJYWTrRpPAC26xPrAeK wyKFIALH2tYNT4BUaL2Z6CZKGBzeErH2LCBwp32JGAja7mGVWqpw1muRAyEvatBs 4b6Yk4r0VcnEybmTZJML+A8kf0HwjtMlZjV30LHqRHBD9v11ebWIoBGHGoJubfJ4 OEkSg9AlLSWUQAVLgNf+Zh0xP2jE53Kq9dN/bHmBoO64SC3vqy90CayjOx1eYYmU wwtrYGxwubKLvdbsg8cLej4VSGEK5TG+HyGLw97tzyZBpcvPgjUaRUlrxO2ytjyH Mm9s1vgJOgVuqWpE1zdq/Qlt4WO8iganJkJSuPQc1loAuxZe45M68qj/yitT5f0i DW1yDWQRchchxtO4BUw5Z3ZjfaM4t+ANUY0RwOaQUCVMTFz/4pSimAOV2pOzYQvy zczmySqIPOspV5lk7w0P2meJk+Uxb0gdpR5rOFqTYIBcr8dYVI5QP2o0xAbT8qJy /YIbVfwV8dc/9sXCsbJ9 =tP9d -----END PGP SIGNATURE----- Merge tag 'seccomp-v4.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into ra-next - fix function prototype documentation - fix samples to include NNP setting - fix samples to avoid rule truncation - fix samples hostprogs variable in Makefile
This commit is contained in:
James Morris
commit
eafb7b9d01
|
|
@ -41,8 +41,7 @@
|
|||
* outside of a lifetime-guarded section. In general, this
|
||||
* is only needed for handling filters shared across tasks.
|
||||
* @prev: points to a previously installed, or inherited, filter
|
||||
* @len: the number of instructions in the program
|
||||
* @insnsi: the BPF program instructions to evaluate
|
||||
* @prog: the BPF program to evaluate
|
||||
*
|
||||
* seccomp_filter objects are organized in a tree linked via the @prev
|
||||
* pointer. For any task, it appears to be a singly-linked list starting
|
||||
|
|
@ -168,8 +167,8 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
|
|||
}
|
||||
|
||||
/**
|
||||
* seccomp_run_filters - evaluates all seccomp filters against @syscall
|
||||
* @syscall: number of the current system call
|
||||
* seccomp_run_filters - evaluates all seccomp filters against @sd
|
||||
* @sd: optional seccomp data to be passed to filters
|
||||
*
|
||||
* Returns valid seccomp BPF response codes.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -36,13 +36,13 @@ HOSTLOADLIBES_bpf-direct += $(MFLAG)
|
|||
HOSTLOADLIBES_bpf-fancy += $(MFLAG)
|
||||
HOSTLOADLIBES_dropper += $(MFLAG)
|
||||
endif
|
||||
always := $(hostprogs-y)
|
||||
always := $(hostprogs-m)
|
||||
else
|
||||
# MIPS system calls are defined based on the -mabi that is passed
|
||||
# to the toolchain which may or may not be a valid option
|
||||
# for the host toolchain. So disable tests if target architecture
|
||||
# is MIPS but the host isn't.
|
||||
ifndef CONFIG_MIPS
|
||||
always := $(hostprogs-y)
|
||||
always := $(hostprogs-m)
|
||||
endif
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -18,41 +18,41 @@
|
|||
int bpf_resolve_jumps(struct bpf_labels *labels,
|
||||
struct sock_filter *filter, size_t count)
|
||||
{
|
||||
struct sock_filter *begin = filter;
|
||||
__u8 insn = count - 1;
|
||||
size_t i;
|
||||
|
||||
if (count < 1)
|
||||
if (count < 1 || count > BPF_MAXINSNS)
|
||||
return -1;
|
||||
/*
|
||||
* Walk it once, backwards, to build the label table and do fixups.
|
||||
* Since backward jumps are disallowed by BPF, this is easy.
|
||||
*/
|
||||
filter += insn;
|
||||
for (; filter >= begin; --insn, --filter) {
|
||||
if (filter->code != (BPF_JMP+BPF_JA))
|
||||
for (i = 0; i < count; ++i) {
|
||||
size_t offset = count - i - 1;
|
||||
struct sock_filter *instr = &filter[offset];
|
||||
if (instr->code != (BPF_JMP+BPF_JA))
|
||||
continue;
|
||||
switch ((filter->jt<<8)|filter->jf) {
|
||||
switch ((instr->jt<<8)|instr->jf) {
|
||||
case (JUMP_JT<<8)|JUMP_JF:
|
||||
if (labels->labels[filter->k].location == 0xffffffff) {
|
||||
if (labels->labels[instr->k].location == 0xffffffff) {
|
||||
fprintf(stderr, "Unresolved label: '%s'\n",
|
||||
labels->labels[filter->k].label);
|
||||
labels->labels[instr->k].label);
|
||||
return 1;
|
||||
}
|
||||
filter->k = labels->labels[filter->k].location -
|
||||
(insn + 1);
|
||||
filter->jt = 0;
|
||||
filter->jf = 0;
|
||||
instr->k = labels->labels[instr->k].location -
|
||||
(offset + 1);
|
||||
instr->jt = 0;
|
||||
instr->jf = 0;
|
||||
continue;
|
||||
case (LABEL_JT<<8)|LABEL_JF:
|
||||
if (labels->labels[filter->k].location != 0xffffffff) {
|
||||
if (labels->labels[instr->k].location != 0xffffffff) {
|
||||
fprintf(stderr, "Duplicate label use: '%s'\n",
|
||||
labels->labels[filter->k].label);
|
||||
labels->labels[instr->k].label);
|
||||
return 1;
|
||||
}
|
||||
labels->labels[filter->k].location = insn;
|
||||
filter->k = 0; /* fall through */
|
||||
filter->jt = 0;
|
||||
filter->jf = 0;
|
||||
labels->labels[instr->k].location = offset;
|
||||
instr->k = 0; /* fall through */
|
||||
instr->jt = 0;
|
||||
instr->jf = 0;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@
|
|||
* When run, returns the specified errno for the specified
|
||||
* system call number against the given architecture.
|
||||
*
|
||||
* Run this one as root as PR_SET_NO_NEW_PRIVS is not called.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
|
|
@ -42,8 +41,12 @@ static int install_filter(int nr, int arch, int error)
|
|||
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
|
||||
.filter = filter,
|
||||
};
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||
perror("prctl(NO_NEW_PRIVS)");
|
||||
return 1;
|
||||
}
|
||||
if (prctl(PR_SET_SECCOMP, 2, &prog)) {
|
||||
perror("prctl");
|
||||
perror("prctl(PR_SET_SECCOMP)");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue