From patchwork Sun Oct 15 23:29:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 13422381 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8534D17EC for ; Mon, 16 Oct 2023 01:47:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O0PzweRp" Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5FC9DA; Sun, 15 Oct 2023 18:47:30 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-27cfb8442f9so2343601a91.2; Sun, 15 Oct 2023 18:47:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697420849; x=1698025649; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jHaBMootb9r45Igd+ylGLOd17RhwzfVYT0h/J8CZlqY=; b=O0PzweRpR+kxxWGKmR/pLQN3DpwPHvNwjesLnWZqY3pZ6wtIJqr4OUgsr3tCH4WS5M G1L6d2cSsVijzffs1GL8VCYld0pg0JAEPOehz02HKnCpgkCc28SIgDISgPUTHUnlHvIn BKoxMyjMX3IHb563bqRh1MPO79otOhOucTNAL/i+esTuaoMpoc+G78+JsVeNIVLhLgDF z1NcBiCF007Ql1jLIyFhto8djmLJnc4IhrJ9n8cDeYx1BVJppiRBCIEM9kBMCvnt6Lm9 bwgcvsSkPSR3RzGDrxL3Za8fwrlvR0k/hzWoNl00SlKjudZQhdfDZ5Cd4Kak04FpNXCy V3Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697420849; x=1698025649; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jHaBMootb9r45Igd+ylGLOd17RhwzfVYT0h/J8CZlqY=; b=H2SnO6nHjrS77ri6tRXSLNTOmRBENHs+jfZwS+9txrV8g3q9fFe0ob2wCd5LXemesk d/RhtXsgkFThoAvVZ+CRATadhVCrcleXJ5OsiPYiwG7GO/DhaczSsgcmPcOLT5+tSV9M UQhiBXkgjOQWHyW4nkdRcBuzg+52gzDnm+R89EzMSfQeuhlBF6gvWrR9KSX3b/PUQCf6 fjjrXsdXH1KpV9Iq3Rb+42T8MjCkofriH/ClyWzOmF36ANyQX1quxDZF0hY/qhF0skET BphlIxRLeFaCfYRQ6ujXb0elZQ+zvtFjrXVW/j7nsoJNIw1s+pYOKjPjaqqw1WsnZJ56 51dw== X-Gm-Message-State: AOJu0YzjdG05RbZKNwQexe1b4jsEd3teWrlAv0QRoD25jHSiwOw5/8Zd tc9zJdkPf4bQ1grUJEjDVtYYxyrsze50Ng== X-Google-Smtp-Source: AGHT+IFAKFHmQYAOf76BYbrnl1hhfG4j1GW2+kyERdCml+yqXk1xm0DSkD2zzaKE0j0kcQguIqsqaw== X-Received: by 2002:a17:90b:1b4b:b0:27d:3290:dee3 with SMTP id nv11-20020a17090b1b4b00b0027d3290dee3mr5965226pjb.2.1697420849567; Sun, 15 Oct 2023 18:47:29 -0700 (PDT) Received: from ubuntu.. ([203.205.141.13]) by smtp.googlemail.com with ESMTPSA id pd17-20020a17090b1dd100b0027cfb5f010dsm3574377pjb.4.2023.10.15.18.47.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 18:47:28 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH v2 1/5] seccomp: Refactor filter copy/create for reuse Date: Sun, 15 Oct 2023 23:29:49 +0000 Message-Id: <20231015232953.84836-2-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231015232953.84836-1-hengqi.chen@gmail.com> References: <20231015232953.84836-1-hengqi.chen@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net This extracts two helpers for reuse in subsequent additions. No functional change intended, just a prep work. Signed-off-by: Hengqi Chen --- kernel/seccomp.c | 90 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 255999ba9190..faf84fc892eb 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -640,14 +640,14 @@ static inline void seccomp_sync_threads(unsigned long flags) } /** - * seccomp_prepare_filter: Prepares a seccomp filter for use. - * @fprog: BPF program to install + * seccomp_prepare_prog - prepares a JITed BPF filter for use. + * @pfp: the unattached filter that is created + * @fprog: the filter program * - * Returns filter on success or an ERR_PTR on failure. + * Returns 0 on success and non-zero otherwise. */ -static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) +static int seccomp_prepare_prog(struct bpf_prog **pfp, struct sock_fprog *fprog) { - struct seccomp_filter *sfilter; int ret; const bool save_orig = #if defined(CONFIG_CHECKPOINT_RESTORE) || defined(SECCOMP_ARCH_NATIVE) @@ -657,10 +657,27 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) #endif if (fprog->len == 0 || fprog->len > BPF_MAXINSNS) - return ERR_PTR(-EINVAL); + return -EINVAL; BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter)); + ret = bpf_prog_create_from_user(pfp, fprog, seccomp_check_filter, save_orig); + if (ret < 0) + return ret; + + return 0; +} + +/** + * seccomp_prepare_filter: Prepares a seccomp filter for use. + * @prog: BPF program to install + * + * Returns filter on success or an ERR_PTR on failure. + */ +static struct seccomp_filter *seccomp_prepare_filter(struct bpf_prog *prog) +{ + struct seccomp_filter *sfilter; + /* * Installing a seccomp filter requires that the task has * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. @@ -677,13 +694,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) return ERR_PTR(-ENOMEM); mutex_init(&sfilter->notify_lock); - ret = bpf_prog_create_from_user(&sfilter->prog, fprog, - seccomp_check_filter, save_orig); - if (ret < 0) { - kfree(sfilter); - return ERR_PTR(ret); - } - + sfilter->prog = prog; refcount_set(&sfilter->refs, 1); refcount_set(&sfilter->users, 1); init_waitqueue_head(&sfilter->wqh); @@ -692,31 +703,56 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) } /** - * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog + * seccomp_copy_user_filter - copies a user-supplied sock_fprog * @user_filter: pointer to the user data containing a sock_fprog. + * @fprog: pointer to store the copied BPF program * * Returns 0 on success and non-zero otherwise. */ -static struct seccomp_filter * -seccomp_prepare_user_filter(const char __user *user_filter) +static int seccomp_copy_user_filter(const char __user *user_filter, struct sock_fprog *fprog) { - struct sock_fprog fprog; - struct seccomp_filter *filter = ERR_PTR(-EFAULT); - #ifdef CONFIG_COMPAT if (in_compat_syscall()) { struct compat_sock_fprog fprog32; if (copy_from_user(&fprog32, user_filter, sizeof(fprog32))) - goto out; - fprog.len = fprog32.len; - fprog.filter = compat_ptr(fprog32.filter); + return -EFAULT; + fprog->len = fprog32.len; + fprog->filter = compat_ptr(fprog32.filter); } else /* falls through to the if below. */ #endif - if (copy_from_user(&fprog, user_filter, sizeof(fprog))) - goto out; - filter = seccomp_prepare_filter(&fprog); -out: - return filter; + if (copy_from_user(fprog, user_filter, sizeof(*fprog))) + return -EFAULT; + + return 0; +} + +/** + * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog + * @user_filter: pointer to the user data containing a sock_fprog. + * + * Returns filter on success or an ERR_PTR on failure. + */ +static struct seccomp_filter * +seccomp_prepare_user_filter(const char __user *user_filter) +{ + struct seccomp_filter *sfilter; + struct sock_fprog fprog; + struct bpf_prog *prog; + int ret; + + ret = seccomp_copy_user_filter(user_filter, &fprog); + if (ret) + return ERR_PTR(ret); + + ret = seccomp_prepare_prog(&prog, &fprog); + if (ret) + return ERR_PTR(ret); + + sfilter = seccomp_prepare_filter(prog); + if (IS_ERR(sfilter)) + bpf_prog_destroy(prog); + + return sfilter; } #ifdef SECCOMP_ARCH_NATIVE From patchwork Sun Oct 15 23:29:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 13422382 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BFF51369 for ; Mon, 16 Oct 2023 01:47:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LHGgOUlq" Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03D45F4; Sun, 15 Oct 2023 18:47:37 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6b2018a11efso2402457b3a.0; Sun, 15 Oct 2023 18:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697420856; x=1698025656; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kSRIz1vcgrjsRKJR1DAFgT80TJOeno9JVnMf1bkF8yQ=; b=LHGgOUlqsGoQijaWFtVw0zgQtzoBgVsejg25gDfGoTDVaXt7zgixYS1WYbvJsuiJl0 5aGxxlqDrAhmXESGDotyIiMODzeg+3Oo6zDFOfSKTa9f5VtWpIODIXt9PevhR6SNnAch 3GUFwiffKuaakcBKlmZhqAjtNCZuYaWSYIdTjv/7EeHnhQgqQmdtYxMau1Uknmd3f71i Z6tEu1CUZJLJq3FMOowQWaJ0hvUXpfcXLAAyYype84ebdwTLvDWdpi1wFPuK8TeNGWPt jIx2n6/t+31Ihr6aRbJIZnUwKhPaTxe9hDOsE0nPG3g+GX2JiT67NNKaJqGKKRc8aSgd BVPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697420856; x=1698025656; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kSRIz1vcgrjsRKJR1DAFgT80TJOeno9JVnMf1bkF8yQ=; b=Xop1EOnnsWzLZpVq0Qk55ABG+Mm/PtS/euqZpfZjgx3WCnNLRKbXEB7k9F0KzPQGjl qSgIOrgtmzlndc9/dL8XN7AWoEEWq+0v4GOmOiMSWBe1iN3jymSVc8l9tQDPegrsHYFQ fV7XCCIu8I3crUhOFqMwPqgc4oxGtJs9Au2ceADledQ9JgPw5iBcs1I45VvorCREXw52 oMvq4r2m1uN9Tql34O/GvGWfdefcsYkXLck+hHDWfSTviPUX9HtMl1haj+pBB33adlG3 eZT02guJ29Unm2owkzrNm+Rkr/R1ThGa1CQnaLc5KayX4EuySTNRnQhpNODRIQL/ONam JsfQ== X-Gm-Message-State: AOJu0Yy/+hZgXXwo1yxv7MAueIq8LKVWWN1+B9oFhWKi5c0uK+tC/0SP E61ey51P8rP5zytg0aGVVMSAof8AqDp84A== X-Google-Smtp-Source: AGHT+IEqrQpf1nJmozXn/wsImrF3IT7qQfBZOmsgPZiOrtm06RkyDB9tCIyMZ5XM12QEqUWaNPh+4A== X-Received: by 2002:a05:6a21:7785:b0:179:f79e:8615 with SMTP id bd5-20020a056a21778500b00179f79e8615mr5301459pzc.52.1697420856610; Sun, 15 Oct 2023 18:47:36 -0700 (PDT) Received: from ubuntu.. ([203.205.141.13]) by smtp.googlemail.com with ESMTPSA id pd17-20020a17090b1dd100b0027cfb5f010dsm3574377pjb.4.2023.10.15.18.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 18:47:35 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH v2 2/5] seccomp, bpf: Introduce SECCOMP_LOAD_FILTER operation Date: Sun, 15 Oct 2023 23:29:50 +0000 Message-Id: <20231015232953.84836-3-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231015232953.84836-1-hengqi.chen@gmail.com> References: <20231015232953.84836-1-hengqi.chen@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: bpf@iogearbox.net This patch adds a new operation named SECCOMP_LOAD_FILTER. It accepts a sock_fprog the same as SECCOMP_SET_MODE_FILTER but only performs the loading process. If succeed, return a new fd associated with the JITed BPF program (the filter). The filter can then be pinned to bpffs using the returned fd and reused for different processes. To distinguish the filter from other BPF progs, BPF_PROG_TYPE_SECCOMP is added. Signed-off-by: Hengqi Chen --- include/uapi/linux/bpf.h | 1 + include/uapi/linux/seccomp.h | 1 + kernel/seccomp.c | 43 ++++++++++++++++++++++++++++++++++ tools/include/uapi/linux/bpf.h | 1 + 4 files changed, 46 insertions(+) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 7ba61b75bc0e..61c80ffb1724 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -995,6 +995,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_SK_LOOKUP, BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */ BPF_PROG_TYPE_NETFILTER, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index dbfc9b37fcae..ee2c83697810 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -16,6 +16,7 @@ #define SECCOMP_SET_MODE_FILTER 1 #define SECCOMP_GET_ACTION_AVAIL 2 #define SECCOMP_GET_NOTIF_SIZES 3 +#define SECCOMP_LOAD_FILTER 4 /* Valid flags for SECCOMP_SET_MODE_FILTER */ #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index faf84fc892eb..c9f6a19f7a4e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -17,6 +17,7 @@ #include #include +#include #include #include #include @@ -25,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -2032,12 +2034,48 @@ static long seccomp_set_mode_filter(unsigned int flags, seccomp_filter_free(prepared); return ret; } + +static long seccomp_load_filter(const char __user *filter) +{ + struct sock_fprog fprog; + struct bpf_prog *prog; + int ret; + + ret = seccomp_copy_user_filter(filter, &fprog); + if (ret) + return ret; + + ret = seccomp_prepare_prog(&prog, &fprog); + if (ret) + return ret; + + ret = security_bpf_prog_alloc(prog->aux); + if (ret) { + bpf_prog_free(prog); + return ret; + } + + prog->aux->user = get_current_user(); + atomic64_set(&prog->aux->refcnt, 1); + prog->type = BPF_PROG_TYPE_SECCOMP; + + ret = bpf_prog_new_fd(prog); + if (ret < 0) + bpf_prog_put(prog); + + return ret; +} #else static inline long seccomp_set_mode_filter(unsigned int flags, const char __user *filter) { return -EINVAL; } + +static inline long seccomp_load_filter(const char __user *filter) +{ + return -EINVAL; +} #endif static long seccomp_get_action_avail(const char __user *uaction) @@ -2099,6 +2137,11 @@ static long do_seccomp(unsigned int op, unsigned int flags, return -EINVAL; return seccomp_get_notif_sizes(uargs); + case SECCOMP_LOAD_FILTER: + if (flags != 0) + return -EINVAL; + + return seccomp_load_filter(uargs); default: return -EINVAL; } diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 7ba61b75bc0e..61c80ffb1724 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -995,6 +995,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_SK_LOOKUP, BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */ BPF_PROG_TYPE_NETFILTER, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { From patchwork Sun Oct 15 23:29:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 13422383 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05BC017EC for ; Mon, 16 Oct 2023 01:47:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MIp7kBIS" Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D50D3E1; Sun, 15 Oct 2023 18:47:42 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-27d17f5457fso3049568a91.0; Sun, 15 Oct 2023 18:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697420861; x=1698025661; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sG+9X4nVV+pHbrjt1Lng7ohViJzwy8aDHAaR38B9wtI=; b=MIp7kBIS/yoSBdepUlPZldhNS4fP9f2bcdz/X3aSp88nbnKW4JY+QrGkLhYnIN6i9T J9ZKQSnrU9kA/bYDQXruwMwnSJC0L7WZlAJ5R16fk4qSTQmhtaLGu5yRrMMix0WaLZr/ nphYUbcb9DLzHDdouR4KcQBWCvXNM1Qjvhcjk0Fx/+DLMCb2CSCTfA+vVi8Rb2ERKuOz wS4csYMY0AXmkVEvMWm0W1iPFa0coOc1TuEIg8kKZm0WLCLJR8Re15qYyj7aXGBZZGxF 9iU4YtG1CA5fW6pnpkBhy0WKl+BhZHPYa8m9Ykzh+rWuNZ98CuTz0vTl0yeXQBDz4yrB wIEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697420861; x=1698025661; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sG+9X4nVV+pHbrjt1Lng7ohViJzwy8aDHAaR38B9wtI=; b=ljhJPdCidai855p1YaLQOaxK6UTiLdlOMm6kc1HSgvOLx/pCUF7Ypg4dZm0pIvPKco UFBZ9Bso/fdxf3/j22silrvR/Boa3iLCwyhRNd1YKknqmEeyCAH6EpuedllyDDXbw1qd Qciy5Z58DvTPWDLaIjLhuF7Z9ROh2PuU4Pesc/5tj4iOjcj6wYX9VjeJ4YB5g9pZ/3Ig wUsJH0naLvsqAyk3uKFterJFhBiOVQYRCUD9f+IITIpZHgNJSHzMdlDl8AOGUC27dJPX U0XHVd0y+MBysrDylK8Xwz9jzCxsx9PbvqMmt0i7Sl6HOEp6lFWhjG7jgM7ojylIKY5w 0oAQ== X-Gm-Message-State: AOJu0Yx08+8cEwzFGf7UtIiPQQA7I9NHBj9EMI9rWM4P7OL+qVMUgv6s P9D5osmvnqnG1Bxai8W8Y9gRFukllr8QMQ== X-Google-Smtp-Source: AGHT+IF8TmvH+rCTiJz05lotuOhS65iIxERZMt65PvK3N3oyr+1FHrG3S0m6kngh7s73+mzPFOc/Jw== X-Received: by 2002:a17:90b:1bcf:b0:27d:5568:e867 with SMTP id oa15-20020a17090b1bcf00b0027d5568e867mr8500687pjb.9.1697420861504; Sun, 15 Oct 2023 18:47:41 -0700 (PDT) Received: from ubuntu.. ([203.205.141.13]) by smtp.googlemail.com with ESMTPSA id pd17-20020a17090b1dd100b0027cfb5f010dsm3574377pjb.4.2023.10.15.18.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 18:47:40 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH v2 3/5] seccomp: Introduce new flag SECCOMP_FILTER_FLAG_BPF_PROG_FD Date: Sun, 15 Oct 2023 23:29:51 +0000 Message-Id: <20231015232953.84836-4-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231015232953.84836-1-hengqi.chen@gmail.com> References: <20231015232953.84836-1-hengqi.chen@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Add a new flag SECCOMP_FILTER_FLAG_BPF_PROG_FD for SECCOMP_SET_MODE_FILTER. This indicates the seccomp filter is a seccomp bpf prog fd, not a sock_fprog. This allows us to attach the seccomp filter that is previously loaded via SECCOMP_LOAD_FILTER. Signed-off-by: Hengqi Chen --- include/linux/seccomp.h | 3 ++- include/uapi/linux/seccomp.h | 2 ++ kernel/seccomp.c | 37 ++++++++++++++++++++++++++++++++++-- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 175079552f68..7caa53b629d9 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -9,7 +9,8 @@ SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ SECCOMP_FILTER_FLAG_NEW_LISTENER | \ SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \ - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) + SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV | \ + SECCOMP_FILTER_FLAG_BPF_PROG_FD) /* sizeof() the first published struct seccomp_notif_addfd */ #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index ee2c83697810..d6b243d1b4d5 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -26,6 +26,8 @@ #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4) /* Received notifications wait in killable state (only respond to fatal signals) */ #define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (1UL << 5) +/* Indicates that the filter is in form of bpf prog fd */ +#define SECCOMP_FILTER_FLAG_BPF_PROG_FD (1UL << 6) /* * All BPF programs must return a 32-bit value. diff --git a/kernel/seccomp.c b/kernel/seccomp.c index c9f6a19f7a4e..3a977e5932a4 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -525,7 +525,10 @@ static inline pid_t seccomp_can_sync_threads(void) static inline void seccomp_filter_free(struct seccomp_filter *filter) { if (filter) { - bpf_prog_destroy(filter->prog); + if (filter->prog->type == BPF_PROG_TYPE_SECCOMP) + bpf_prog_put(filter->prog); + else + bpf_prog_destroy(filter->prog); kfree(filter); } } @@ -757,6 +760,33 @@ seccomp_prepare_user_filter(const char __user *user_filter) return sfilter; } +/** + * seccomp_prepare_filter_from_fd - prepares filter from a user-supplied fd + * @ufd: pointer to fd that refers to a seccomp bpf prog. + * + * Returns filter on success or an ERR_PTR on failure. + */ +static struct seccomp_filter * +seccomp_prepare_filter_from_fd(const char __user *ufd) +{ + struct seccomp_filter *sfilter; + struct bpf_prog *prog; + int fd; + + if (copy_from_user(&fd, ufd, sizeof(fd))) + return ERR_PTR(-EFAULT); + + prog = bpf_prog_get_type(fd, BPF_PROG_TYPE_SECCOMP); + if (IS_ERR(prog)) + return ERR_PTR(-EBADF); + + sfilter = seccomp_prepare_filter(prog); + if (IS_ERR(sfilter)) + bpf_prog_put(prog); + + return sfilter; +} + #ifdef SECCOMP_ARCH_NATIVE /** * seccomp_is_const_allow - check if filter is constant allow with given data @@ -1970,7 +2000,10 @@ static long seccomp_set_mode_filter(unsigned int flags, return -EINVAL; /* Prepare the new filter before holding any locks. */ - prepared = seccomp_prepare_user_filter(filter); + if (flags & SECCOMP_FILTER_FLAG_BPF_PROG_FD) + prepared = seccomp_prepare_filter_from_fd(filter); + else + prepared = seccomp_prepare_user_filter(filter); if (IS_ERR(prepared)) return PTR_ERR(prepared); From patchwork Sun Oct 15 23:29:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 13422384 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FA3D1842 for ; Mon, 16 Oct 2023 01:47:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YDvJWz5S" Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42EB3E3; Sun, 15 Oct 2023 18:47:48 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-27cefb5ae1fso2052772a91.3; Sun, 15 Oct 2023 18:47:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697420867; x=1698025667; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rzhM/tCHpGy9FYSH/tZ16wiAC3i6sgxn/Z+el+7Dm1k=; b=YDvJWz5SUv42X86EguqALMrurSGYJkzgaoj0EjkR1f4Kk28BlUTPX/3ubuM/P125+S 96cSveMxU0Wp4TPi4vGTgqfyqC4UD81CGmyVvAzxrZ068nypxtcfyPLB02P6NHnNCwfZ X91N9QTRMOF3oTvXb/2i41QtMcDAYfU50CC0HGLyigzAc2rrDprnkAzGYkkGCn0YaGDu hg9wlu+sHT4ybbgRM5pN91ILrvCNfm4ZSFOA7WCzdPC/VaSV2WiCyeRr01Od0NvZk1pz BDkqishN7C46/anPZgiEIhbYPC6bIxMoWjvwbydIzcnAvUWUvDutleSPamdltv8q/IVn TFSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697420867; x=1698025667; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rzhM/tCHpGy9FYSH/tZ16wiAC3i6sgxn/Z+el+7Dm1k=; b=ucL8t3qXJMkrSHEJvsjQih2KRmjeHCVzf/vdMTDlUHLdcu192D7xQeqgW/NJLWBo4h y1SGy3iFFvTN6AHaEDkBkJMjaJ8DcNycb2EgADBir72+FvjxgvsXd/JOivXcAJeX0ygM YISqC0P8yvAPAr+uKFbOBhKJdjjTv8uuoLsPvzL7TvNgPZVx1w1ASTnGtKJrbEnTzlal 10oMw14ZLrnQuyNl0Req2xkVgxTddnF/0p0fUxO60CJSPXnjdeYCbP8Na/mnE9cvcG64 88Wsvt35cgXW9WbKGHfuUI6XSr7Wb/qdfQj29e4RZSV6WNSfgmx5tNRwPN2Nimc4R7PQ B6oQ== X-Gm-Message-State: AOJu0YyNRbBzUtGIVSObQjXvWq1uMe2HU2PjTgEZD0zzfE+xZLV7JXfG EhYXvV4f44PIu33a9ytNZgFxtPS8CfXtLw== X-Google-Smtp-Source: AGHT+IHSVwNqssEMUtYCFYaIs6EUfdbJpktqLxGmk4ZEISa8uxTbyvKHI+bTGiJs64H2y879QLfg4w== X-Received: by 2002:a17:90b:23cc:b0:27d:2364:44f6 with SMTP id md12-20020a17090b23cc00b0027d236444f6mr7416596pjb.6.1697420866960; Sun, 15 Oct 2023 18:47:46 -0700 (PDT) Received: from ubuntu.. ([203.205.141.13]) by smtp.googlemail.com with ESMTPSA id pd17-20020a17090b1dd100b0027cfb5f010dsm3574377pjb.4.2023.10.15.18.47.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 18:47:46 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH v2 4/5] selftests/seccomp: Test seccomp filter load and attach Date: Sun, 15 Oct 2023 23:29:52 +0000 Message-Id: <20231015232953.84836-5-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231015232953.84836-1-hengqi.chen@gmail.com> References: <20231015232953.84836-1-hengqi.chen@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Add testcases to exercise the newly added seccomp filter load and attach functionalities. Signed-off-by: Hengqi Chen --- tools/testing/selftests/seccomp/seccomp_bpf.c | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 38f651469968..86600d40d01f 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -4735,6 +4735,50 @@ TEST(user_notification_wait_killable_fatal) EXPECT_EQ(SIGTERM, WTERMSIG(status)); } +TEST(seccomp_filter_load_and_attach) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + int fd, ret, flags; + + flags = 0; + fd = seccomp(SECCOMP_LOAD_FILTER, flags, &prog); + ASSERT_GT(fd, -1); + + flags = SECCOMP_FILTER_FLAG_BPF_PROG_FD; + ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd); + ASSERT_EQ(ret, 0); + + close(fd); +} + +TEST(seccomp_attach_fd_failed) +{ + int fd, ret, flags; + + fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_GT(fd, -1); + + /* copy a sock_fprog from a fd */ + flags = 0; + ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd); + ASSERT_EQ(ret, -1); + ASSERT_EQ(errno, EFAULT); + + /* pass a non seccomp bpf prog fd */ + flags = SECCOMP_FILTER_FLAG_BPF_PROG_FD; + ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd); + ASSERT_EQ(ret, -1); + ASSERT_EQ(errno, EBADF); + + close(fd); +} + /* * TODO: * - expand NNP testing From patchwork Sun Oct 15 23:29:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hengqi Chen X-Patchwork-Id: 13422385 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9EEA17EA for ; Mon, 16 Oct 2023 01:47:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C5kTRMBF" Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B51EE9; Sun, 15 Oct 2023 18:47:52 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-27d3ede72f6so2136314a91.1; Sun, 15 Oct 2023 18:47:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697420871; x=1698025671; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mi5UmAT05d3969V2jLDH5OfDsDaXCi2SPvi05677hA4=; b=C5kTRMBFanemv7wO8grEXFn8sCR7wXzJ4Lv+wA9TIl+kJNxDaUi0T+cdqbrV4/WQcE e6F2HK2t3D9j4PF8akTTbHWfquiP2luxfy0FuXMpLYyKRNQw7htfyIDWETv2VzGZ/uM1 zWGTWJmXMRZNapAWdlXoeQCz60YUOCRuikPSrsjjWJ1EuJHVBbF/VASOPKR9Mlvc3vYi L8Qdlc4i2+oDzudw6IMjnz875Kl+ovhi81Im8qBNz0Ig+JY89z9SpV5BKnpak2BjPn1a XSPTvWAOQetAjXosjUw/nl4hQ+oKNjUEBKGnrFO1wdCn3weZr20AzE+BqM5KB1Z86Ud/ 6JNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697420871; x=1698025671; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mi5UmAT05d3969V2jLDH5OfDsDaXCi2SPvi05677hA4=; b=gNPspkZBG17h0ZNCiPpguqAPC/ugSzB9Z+cutjaOTnNDCAjYZ+BkI/KPCO1Cv+T+U7 pV2nlqzwWhkbl2VtNqXezE+tEv0eNyOhfVGAjPR+zIwhyPH6A8zfUsrozpHbGYPEDWJo mV/I3a1VH81rLWRhYkJe+GViQ8tht+07elQKHBk6fD8nyX+7xI/mKjLhJbGHvDlHgJ5s UjR14/4yZ7/Hu3xNhqgQE4tJTE9RhOlgGq6aUu3jhwBYM1Q0UOjnw8Ublw36rF/5lEC7 /P+qv7t/Uhdu+wzyECG3IElbpG0DbiHteyBNNkTKIWvUM/TZ5dqbF7mi6u2cqKwleWCz V70g== X-Gm-Message-State: AOJu0YyKjJnBzdLJA08QAMOfCM94A2igroSbyfhFgEGZ/tMJf5XPEr3p iDlnpe8KJp33fFr0AJdCAw3llFP16FC4Vw== X-Google-Smtp-Source: AGHT+IGH7TfUPliSmFctNHTFYoEc5e4R1mypniXEZZGepACzWiThk28fihmceiKF2saXXMrxHt+VWQ== X-Received: by 2002:a17:90b:8e:b0:27c:fc2a:a178 with SMTP id bb14-20020a17090b008e00b0027cfc2aa178mr14832393pjb.9.1697420870865; Sun, 15 Oct 2023 18:47:50 -0700 (PDT) Received: from ubuntu.. ([203.205.141.13]) by smtp.googlemail.com with ESMTPSA id pd17-20020a17090b1dd100b0027cfb5f010dsm3574377pjb.4.2023.10.15.18.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 18:47:49 -0700 (PDT) From: Hengqi Chen To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, luto@amacapital.net, wad@chromium.org, alexyonghe@tencent.com, hengqi.chen@gmail.com Subject: [PATCH v2 5/5] selftests/bpf: Skip BPF_PROG_TYPE_SECCOMP-related tests Date: Sun, 15 Oct 2023 23:29:53 +0000 Message-Id: <20231015232953.84836-6-hengqi.chen@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231015232953.84836-1-hengqi.chen@gmail.com> References: <20231015232953.84836-1-hengqi.chen@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: bpf@iogearbox.net We only allow BPF_PROG_TYPE_SECCOMP progs to be loaded via seccomp syscall. Skip related test on BPF side. Signed-off-by: Hengqi Chen --- tools/testing/selftests/bpf/prog_tests/libbpf_probes.c | 3 ++- tools/testing/selftests/bpf/prog_tests/libbpf_str.c | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_probes.c b/tools/testing/selftests/bpf/prog_tests/libbpf_probes.c index 9f766ddd946a..134ae042c4da 100644 --- a/tools/testing/selftests/bpf/prog_tests/libbpf_probes.c +++ b/tools/testing/selftests/bpf/prog_tests/libbpf_probes.c @@ -28,7 +28,8 @@ void test_libbpf_probe_prog_types(void) enum bpf_prog_type prog_type = (enum bpf_prog_type)e->val; int res; - if (prog_type == BPF_PROG_TYPE_UNSPEC) + if (prog_type == BPF_PROG_TYPE_UNSPEC || + prog_type == BPF_PROG_TYPE_SECCOMP) continue; if (!test__start_subtest(prog_type_name)) diff --git a/tools/testing/selftests/bpf/prog_tests/libbpf_str.c b/tools/testing/selftests/bpf/prog_tests/libbpf_str.c index c440ea3311ed..35365500c326 100644 --- a/tools/testing/selftests/bpf/prog_tests/libbpf_str.c +++ b/tools/testing/selftests/bpf/prog_tests/libbpf_str.c @@ -186,6 +186,9 @@ static void test_libbpf_bpf_prog_type_str(void) const char *prog_type_str; char buf[256]; + if (prog_type == BPF_PROG_TYPE_SECCOMP) + continue; + prog_type_name = btf__str_by_offset(btf, e->name_off); prog_type_str = libbpf_bpf_prog_type_str(prog_type); ASSERT_OK_PTR(prog_type_str, prog_type_name);