[PATCH net-next 2/2] net: filter: split BPF out of core networking

Alexei Starovoitov Sat, 31 May 2014 18:45:07 -0700

seccomp selects BPF only instead of whole NET
Other BPF users (like tracing filters) will select BPF only too


Signed-off-by: Alexei Starovoitov <a...@plumgrid.com>
---
 arch/Kconfig   |    3 ++-
 net/Kconfig    |    4 ++++
 net/Makefile   |    2 +-
 net/bpf/core.c |   21 +++++++++++++++++++++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 97ff872c7acc..92f43a16eccc 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -324,7 +324,8 @@ config HAVE_ARCH_SECCOMP_FILTER
 
 config SECCOMP_FILTER
        def_bool y
-       depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET
+       depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP
+       select BPF
        help
          Enable tasks to build secure computing environments defined
          in terms of Berkeley Packet Filter programs which implement
diff --git a/net/Kconfig b/net/Kconfig
index d92afe4204d9..e8dca9f836d9 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -6,6 +6,7 @@ menuconfig NET
        bool "Networking support"
        select NLATTR
        select GENERIC_NET_UTILS
+       select BPF
        ---help---
          Unless you really know what you are doing, you should say Y here.
          The reason is that some programs need kernel networking support even
@@ -370,6 +371,9 @@ source "net/nfc/Kconfig"
 
 endif   # if NET
 
+config BPF
+       boolean
+
 # Used by archs to tell that they support BPF_JIT
 config HAVE_BPF_JIT
        bool
diff --git a/net/Makefile b/net/Makefile
index d0e89323aee3..d56447bca1aa 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -8,7 +8,7 @@
 obj-y  := nonet.o
 
 obj-$(CONFIG_NET)              := socket.o core/
-obj-$(CONFIG_NET)              += bpf/
+obj-$(CONFIG_BPF)              += bpf/
 
 tmp-$(CONFIG_COMPAT)           := compat.o
 obj-$(CONFIG_NET)              += $(tmp-y)
diff --git a/net/bpf/core.c b/net/bpf/core.c
index 22c2d99414c0..8ca1b37ddc28 100644
--- a/net/bpf/core.c
+++ b/net/bpf/core.c
@@ -1040,3 +1040,24 @@ void sk_filter_free(struct sk_filter *fp)
        bpf_jit_free(fp);
 }
 EXPORT_SYMBOL_GPL(sk_filter_free);
+
+/* kernel configuration that do not enable NET are not using
+ * classic BPF extensions
+ */
+bool __weak sk_convert_bpf_extensions(struct sock_filter *fp,
+                                     struct sock_filter_int **insnp)
+{
+       return false;
+}
+
+/* To emulate LD_ABS/LD_IND instructions __sk_run_filter() may call
+ * skb_copy_bits(), so provide a weak definition for it in NET-less config.
+ * seccomp_check_filter() verifies that seccomp filters are not using
+ * LD_ABS/LD_IND instructions. Other BPF users (like tracing filters)
+ * must not use these instructions unless ctx==skb
+ */
+int __weak skb_copy_bits(const struct sk_buff *skb, int offset, void *to,
+                        int len)
+{
+       return -EFAULT;
+}
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH net-next 2/2] net: filter: split BPF out of core networking

Reply via email to