lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251211124614.161900-4-aleksandr.mikhalitsyn@canonical.com>
Date: Thu, 11 Dec 2025 13:46:07 +0100
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
To: kees@...nel.org
Cc: linux-kernel@...r.kernel.org,
	Andy Lutomirski <luto@...capital.net>,
	Will Drewry <wad@...omium.org>,
	Jonathan Corbet <corbet@....net>,
	Shuah Khan <shuah@...nel.org>,
	Aleksa Sarai <cyphar@...har.com>,
	Tycho Andersen <tycho@...ho.pizza>,
	Andrei Vagin <avagin@...il.com>,
	Christian Brauner <brauner@...nel.org>,
	Stéphane Graber <stgraber@...raber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
Subject: [PATCH v3 3/7] seccomp: keep track of seccomp filters with closed listeners

Let's distinguish seccomp filters with closed listener
vs seccomp filters which never had listener.

We can easily do this by using the same ->notif pointer
field with help of IS_ERR_OR_NULL().

No functional change intended.

Cc: linux-kernel@...r.kernel.org
Cc: Kees Cook <kees@...nel.org>
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Will Drewry <wad@...omium.org>
Cc: Jonathan Corbet <corbet@....net>
Cc: Shuah Khan <shuah@...nel.org>
Cc: Aleksa Sarai <cyphar@...har.com>
Cc: Tycho Andersen <tycho@...ho.pizza>
Cc: Andrei Vagin <avagin@...il.com>
Cc: Christian Brauner <brauner@...nel.org>
Cc: Stéphane Graber <stgraber@...raber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
---
 kernel/seccomp.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 236c96276405..89ae81f06743 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1182,7 +1182,7 @@ static int seccomp_do_user_notification(struct seccomp_filter *match,
 
 	mutex_lock(&match->notify_lock);
 	err = -ENOSYS;
-	if (!match->notif)
+	if (IS_ERR_OR_NULL(match->notif))
 		goto out;
 
 	n.task = current;
@@ -1252,7 +1252,7 @@ static int seccomp_do_user_notification(struct seccomp_filter *match,
 	 * *reattach* to a notifier right now. If one is added, we'll need to
 	 * keep track of the notif itself and make sure they match here.
 	 */
-	if (match->notif)
+	if (!IS_ERR_OR_NULL(match->notif))
 		list_del(&n.list);
 out:
 	mutex_unlock(&match->notify_lock);
@@ -1460,8 +1460,14 @@ static long seccomp_set_mode_strict(void)
 #ifdef CONFIG_SECCOMP_FILTER
 static void seccomp_notify_free(struct seccomp_filter *filter)
 {
-	kfree(filter->notif);
-	filter->notif = NULL;
+	if (!IS_ERR_OR_NULL(filter->notif))
+		kfree(filter->notif);
+
+	/*
+	 * We want to know if a filter never had a notify fd,
+	 * or it is just been closed at some point.
+	 */
+	filter->notif = ERR_PTR(-ENOTCONN);
 }
 
 static void seccomp_notify_detach(struct seccomp_filter *filter)
@@ -1943,7 +1949,7 @@ static bool has_duplicate_listener(struct seccomp_filter *new_child)
 	if (!new_child->notif)
 		return false;
 	for (cur = current->seccomp.filter; cur; cur = cur->prev) {
-		if (cur->notif)
+		if (!IS_ERR_OR_NULL(cur->notif))
 			return true;
 	}
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ