2012/3/30 Vladimir Murzin [off-list ref]:

Hi Will,

On Thu, Mar 29, 2012 at 03:01:53PM -0500, Will Drewry wrote:

snipped

quoted

+
+/* Limit any path through the tree to 256KB worth of instructions. */
+#define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
+
+static void seccomp_filter_log_failure(int syscall)
+{
+     int compat = 0;
+#ifdef CONFIG_COMPAT
+     compat = is_compat_task();
+#endif
+     pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n",
+             current->comm, task_pid_nr(current),
+             (compat ? "compat " : ""),
+             syscall, KSTK_EIP(current));
+}

snipped

quoted

+/**
+ * seccomp_attach_user_filter - attaches a user-supplied sock_fprog
+ * @user_filter: pointer to the user data containing a sock_fprog.
+ *
+ * Returns 0 on success and non-zero otherwise.
+ */
+long seccomp_attach_user_filter(char __user *user_filter)
+{
+     struct sock_fprog fprog;
+     long ret = -EFAULT;
+
+#ifdef CONFIG_COMPAT
+     if (is_compat_task()) {
+             struct compat_sock_fprog fprog32;
+             if (copy_from_user(&fprog32, user_filter, sizeof(fprog32)))
+                     goto out;
+             fprog.len = fprog32.len;
+             fprog.filter = compat_ptr(fprog32.filter);
+     } else /* falls through to the if below. */
+#endif
+     if (copy_from_user(&fprog, user_filter, sizeof(fprog)))
+             goto out;
+     ret = seccomp_attach_filter(&fprog);
+out:
+     return ret;
+}

Do we really need to surround is_compat_task() with CNFIG_COMPAT?
It seems that this case has already handled in compat.h [1]

[1] http://lxr.linux.no/#linux+v3.3/include/linux/compat.h#L566

In log_failure, it's not needed at all, but that function disappears
in a subsequent patch in the series that converts over to using the
auditing framework.  For the next use of CONFIG_COMPAT, it is more
important for guarding the compat_sock_fprog struct (which isn't
doubly defined) rather than the is_compat_task.

Thanks!
will