mirror of https://gitee.com/openkylin/linux.git
seccomp: rename "usage" to "refs" and document
Naming the lifetime counter of a seccomp filter "usage" suggests a little too strongly that its about tasks that are using this filter while it also tracks other references such as the user notifier or ptrace. This also updates the documentation to note this fact. We'll be introducing an actual usage counter in a follow-up patch. Cc: Tycho Andersen <tycho@tycho.ws> Cc: Kees Cook <keescook@chromium.org> Cc: Matt Denton <mpdenton@google.com> Cc: Sargun Dhillon <sargun@sargun.me> Cc: Jann Horn <jannh@google.com> Cc: Chris Palmer <palmer@google.com> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Robert Sesek <rsesek@google.com> Cc: Jeffrey Vander Stoep <jeffv@google.com> Cc: Linux Containers <containers@lists.linux-foundation.org> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20200531115031.391515-1-christian.brauner@ubuntu.com Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
9f87dcf14b
commit
b707ddee11
|
@ -107,10 +107,11 @@ struct notification {
|
||||||
/**
|
/**
|
||||||
* struct seccomp_filter - container for seccomp BPF programs
|
* struct seccomp_filter - container for seccomp BPF programs
|
||||||
*
|
*
|
||||||
* @usage: reference count to manage the object lifetime.
|
* @refs: Reference count to manage the object lifetime.
|
||||||
* get/put helpers should be used when accessing an instance
|
* A filter's reference count is incremented for each directly
|
||||||
* outside of a lifetime-guarded section. In general, this
|
* attached task, once for the dependent filter, and if
|
||||||
* is only needed for handling filters shared across tasks.
|
* requested for the user notifier. When @refs reaches zero,
|
||||||
|
* the filter can be freed.
|
||||||
* @log: true if all actions except for SECCOMP_RET_ALLOW should be logged
|
* @log: true if all actions except for SECCOMP_RET_ALLOW should be logged
|
||||||
* @prev: points to a previously installed, or inherited, filter
|
* @prev: points to a previously installed, or inherited, filter
|
||||||
* @prog: the BPF program to evaluate
|
* @prog: the BPF program to evaluate
|
||||||
|
@ -125,10 +126,10 @@ struct notification {
|
||||||
* how namespaces work.
|
* how namespaces work.
|
||||||
*
|
*
|
||||||
* seccomp_filter objects should never be modified after being attached
|
* seccomp_filter objects should never be modified after being attached
|
||||||
* to a task_struct (other than @usage).
|
* to a task_struct (other than @refs).
|
||||||
*/
|
*/
|
||||||
struct seccomp_filter {
|
struct seccomp_filter {
|
||||||
refcount_t usage;
|
refcount_t refs;
|
||||||
bool log;
|
bool log;
|
||||||
struct seccomp_filter *prev;
|
struct seccomp_filter *prev;
|
||||||
struct bpf_prog *prog;
|
struct bpf_prog *prog;
|
||||||
|
@ -464,7 +465,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog)
|
||||||
return ERR_PTR(ret);
|
return ERR_PTR(ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
refcount_set(&sfilter->usage, 1);
|
refcount_set(&sfilter->refs, 1);
|
||||||
|
|
||||||
return sfilter;
|
return sfilter;
|
||||||
}
|
}
|
||||||
|
@ -558,7 +559,7 @@ static long seccomp_attach_filter(unsigned int flags,
|
||||||
|
|
||||||
static void __get_seccomp_filter(struct seccomp_filter *filter)
|
static void __get_seccomp_filter(struct seccomp_filter *filter)
|
||||||
{
|
{
|
||||||
refcount_inc(&filter->usage);
|
refcount_inc(&filter->refs);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* get_seccomp_filter - increments the reference count of the filter on @tsk */
|
/* get_seccomp_filter - increments the reference count of the filter on @tsk */
|
||||||
|
@ -581,7 +582,7 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter)
|
||||||
static void __put_seccomp_filter(struct seccomp_filter *orig)
|
static void __put_seccomp_filter(struct seccomp_filter *orig)
|
||||||
{
|
{
|
||||||
/* Clean up single-reference branches iteratively. */
|
/* Clean up single-reference branches iteratively. */
|
||||||
while (orig && refcount_dec_and_test(&orig->usage)) {
|
while (orig && refcount_dec_and_test(&orig->refs)) {
|
||||||
struct seccomp_filter *freeme = orig;
|
struct seccomp_filter *freeme = orig;
|
||||||
orig = orig->prev;
|
orig = orig->prev;
|
||||||
seccomp_filter_free(freeme);
|
seccomp_filter_free(freeme);
|
||||||
|
|
Loading…
Reference in New Issue