Merge tag 'seccomp-v4.9-rc4' of...

 *         outside of a lifetime-guarded section.  In general, this

 *         is only needed for handling filters shared across tasks.

 * @prev: points to a previously installed, or inherited, filter

 * @len: the number of instructions in the program

 * @insnsi: the BPF program instructions to evaluate

 * @prog: the BPF program to evaluate

 *

 * seccomp_filter objects are organized in a tree linked via the @prev

 * pointer.  For any task, it appears to be a singly-linked list starting

}

/**

 * seccomp_run_filters - evaluates all seccomp filters against @syscall

 * @syscall: number of the current system call

 * seccomp_run_filters - evaluates all seccomp filters against @sd

 * @sd: optional seccomp data to be passed to filters

 *

 * Returns valid seccomp BPF response codes.

 */

HOSTLOADLIBES_bpf-fancy += $(MFLAG)

HOSTLOADLIBES_dropper += $(MFLAG)

endif

always := $(hostprogs-y)

always := $(hostprogs-m)

else

# MIPS system calls are defined based on the -mabi that is passed

# to the toolchain which may or may not be a valid option

# for the host toolchain. So disable tests if target architecture

# is MIPS but the host isn't.

ifndef CONFIG_MIPS

always := $(hostprogs-y)

always := $(hostprogs-m)

endif

endif

int bpf_resolve_jumps(struct bpf_labels *labels,

		      struct sock_filter *filter, size_t count)

{

	struct sock_filter *begin = filter;

	__u8 insn = count - 1;

	size_t i;

	if (count < 1)

	if (count < 1 || count > BPF_MAXINSNS)

		return -1;

	/*

	* Walk it once, backwards, to build the label table and do fixups.

	* Since backward jumps are disallowed by BPF, this is easy.

	*/

	filter += insn;

	for (; filter >= begin; --insn, --filter) {

		if (filter->code != (BPF_JMP+BPF_JA))

	for (i = 0; i < count; ++i) {

		size_t offset = count - i - 1;

		struct sock_filter *instr = &filter[offset];

		if (instr->code != (BPF_JMP+BPF_JA))

			continue;

		switch ((filter->jt<<8)|filter->jf) {

		switch ((instr->jt<<8)|instr->jf) {

		case (JUMP_JT<<8)|JUMP_JF:

			if (labels->labels[filter->k].location == 0xffffffff) {

			if (labels->labels[instr->k].location == 0xffffffff) {

				fprintf(stderr, "Unresolved label: '%s'\n",

					labels->labels[filter->k].label);

					labels->labels[instr->k].label);

				return 1;

			}

			filter->k = labels->labels[filter->k].location -

				    (insn + 1);

			filter->jt = 0;

			filter->jf = 0;

			instr->k = labels->labels[instr->k].location -

				    (offset + 1);

			instr->jt = 0;

			instr->jf = 0;

			continue;

		case (LABEL_JT<<8)|LABEL_JF:

			if (labels->labels[filter->k].location != 0xffffffff) {

			if (labels->labels[instr->k].location != 0xffffffff) {

				fprintf(stderr, "Duplicate label use: '%s'\n",

					labels->labels[filter->k].label);

					labels->labels[instr->k].label);

				return 1;

			}

			labels->labels[filter->k].location = insn;

			filter->k = 0; /* fall through */

			filter->jt = 0;

			filter->jf = 0;

			labels->labels[instr->k].location = offset;

			instr->k = 0; /* fall through */

			instr->jt = 0;

			instr->jf = 0;

			continue;

		}

	}

 * When run, returns the specified errno for the specified

 * system call number against the given architecture.

 *

 * Run this one as root as PR_SET_NO_NEW_PRIVS is not called.

 */

#include <errno.h>

		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),

		.filter = filter,

	};

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {

		perror("prctl(NO_NEW_PRIVS)");

		return 1;

	}

	if (prctl(PR_SET_SECCOMP, 2, &prog)) {

		perror("prctl");

		perror("prctl(PR_SET_SECCOMP)");

		return 1;

	}

	return 0;