Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program

v2 of seccomp filter c/r patches · Tycho Andersen <hidden> · 2015-09-11
[PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Alexei Starovoitov <hidden> · 2015-09-11
Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Michael Kerrisk (man-pages) <hidden> · 2015-09-11
Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 3/5] ebpf: add a way to dump an eBPF program · Tycho Andersen <hidden> · 2015-09-11
[PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Michael Kerrisk (man-pages) <hidden> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Andy Lutomirski <luto@amacapital.net> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 4/5] seccomp: add a way to access filters via bpf fds · Andy Lutomirski <luto@amacapital.net> · 2015-09-14
[PATCH v2 5/5] seccomp: add a way to attach a filter via eBPF fd · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 5/5] seccomp: add a way to attach a filter via eBPF fd · Michael Kerrisk (man-pages) <hidden> · 2015-09-11
Re: [PATCH v2 5/5] seccomp: add a way to attach a filter via eBPF fd · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 5/5] seccomp: add a way to attach a filter via eBPF fd · Tycho Andersen <hidden> · 2015-09-11
[PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-11
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Tycho Andersen <hidden> · 2015-09-14
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Daniel Borkmann <daniel@iogearbox.net> · 2015-09-14
Re: [PATCH v2 2/5] seccomp: make underlying bpf ref counted as well · Tycho Andersen <hidden> · 2015-09-14
[PATCH v2 1/5] ebpf: add a seccomp program type · Tycho Andersen <hidden> · 2015-09-11
Re: [PATCH v2 1/5] ebpf: add a seccomp program type · Michael Kerrisk (man-pages) <hidden> · 2015-09-11
Re: v2 of seccomp filter c/r patches · Alexei Starovoitov <hidden> · 2015-09-11
Re: v2 of seccomp filter c/r patches · Andy Lutomirski <luto@amacapital.net> · 2015-09-11
Re: v2 of seccomp filter c/r patches · Andy Lutomirski <luto@amacapital.net> · 2015-09-11
Re: v2 of seccomp filter c/r patches · Tycho Andersen <hidden> · 2015-09-11
Re: v2 of seccomp filter c/r patches · Andy Lutomirski <luto@amacapital.net> · 2015-09-14
Re: v2 of seccomp filter c/r patches · Tycho Andersen <hidden> · 2015-09-15
Re: v2 of seccomp filter c/r patches · Andy Lutomirski <luto@amacapital.net> · 2015-09-15
Re: v2 of seccomp filter c/r patches · Tycho Andersen <hidden> · 2015-09-15
Re: v2 of seccomp filter c/r patches · Andy Lutomirski <luto@amacapital.net> · 2015-09-15
Re: v2 of seccomp filter c/r patches · Tycho Andersen <hidden> · 2015-09-15

From: Daniel Borkmann <hidden>
Date: 2015-09-11 13:39:25
Also in: lkml, netdev

On 09/11/2015 02:21 AM, Tycho Andersen wrote:

This commit adds a way to dump eBPF programs. The initial implementation
doesn't support maps, and therefore only allows dumping seccomp ebpf
programs which themselves don't currently support maps.

v2: don't export a prog_id for the filter

Signed-off-by: Tycho Andersen <redacted>
CC: Kees Cook <redacted>
CC: Will Drewry <redacted>
CC: Oleg Nesterov <redacted>
CC: Andy Lutomirski <redacted>
CC: Pavel Emelyanov <redacted>
CC: Serge E. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
CC: Alexei Starovoitov <redacted>
CC: Daniel Borkmann <redacted>

[...]

quoted hunk ↗ jump to hunk

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index dc9b464..58ae9f4 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c

@@ -586,6 +586,44 @@ free_prog:
  	return err;
  }

+static int bpf_prog_dump(union bpf_attr *attr, union bpf_attr __user *uattr)
+{
+	int ufd = attr->prog_fd;
+	struct fd f = fdget(ufd);
+	struct bpf_prog *prog;
+	int ret = -EINVAL;
+
+	prog = get_prog(f);
+	if (IS_ERR(prog))
+		return PTR_ERR(prog);
+
+	/* For now, let's refuse to dump anything that isn't a seccomp program.
+	 * Other program types have support for maps, which our current dump
+	 * code doesn't support.
+	 */
+	if (prog->type != BPF_PROG_TYPE_SECCOMP)
+		goto out;

Yep, also when you start adding helper calls (next to map objects) you'd
need to undo kernel pointers that the verifier sets here.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help