• Daniel Borkmann's avatar
    bpf, seccomp: prepare for upcoming criu support · bab18991
    Daniel Borkmann authored
    The current ongoing effort to dump existing cBPF seccomp filters back
    to user space requires to hold the pre-transformed instructions like
    we do in case of socket filters from sk_attach_filter() side, so they
    can be reloaded in original form at a later point in time by utilities
    such as criu.
    
    To prepare for this, simply extend the bpf_prog_create_from_user()
    API to hold a flag that tells whether we should store the original
    or not. Also, fanout filters could make use of that in future for
    things like diag. While fanout filters already use bpf_prog_destroy(),
    move seccomp over to them as well to handle original programs when
    present.
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Cc: Tycho Andersen <tycho.andersen@canonical.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Alexei Starovoitov <ast@plumgrid.com>
    Tested-by: default avatarTycho Andersen <tycho.andersen@canonical.com>
    Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    bab18991
seccomp.c 23.2 KB