lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 01 Nov 2012 11:17:58 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	xemul@...allels.com
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH net-next] sk-filter: Add ability to get socket filter
 program (v2)

From: Pavel Emelyanov <xemul@...allels.com>
Date: Thu, 01 Nov 2012 16:01:48 +0400

> The SO_ATTACH_FILTER option is set only. I propose to add the get
> ability by using SO_ATTACH_FILTER in getsockopt. To be less
> irritating to eyes the SO_GET_FILTER alias to it is declared. This
> ability is required by checkpoint-restore project to be able to 
> save full state of a socket. 
> 
> 
> There are two issues with getting filter back.
> 
> First, kernel modifies the sock_filter->code on filter load, thus in
> order to return the filter element back to user we have to decode it
> into user-visible constants. Fortunately the modification in question
> is interconvertible.
> 
> Second, the BPF_S_ALU_DIV_K code modifies the command argument k to
> speed up the run-time division by doing kernel_k = reciprocal(user_k).
> Bad news is that different user_k may result in same kernel_k, so we 
> can't get the original user_k back. Good news is that we don't have 
> to do it. What we need to is calculate a user2_k so, that
> 
>   reciprocal(user2_k) == reciprocal(user_k) == kernel_k
> 
> i.e. if it's re-loaded back the compiled again value will be exactly
> the same as it was. That said, the user2_k can be calculated like this
> 
>   user2_k = reciprocal(kernel_k)
> 
> with an exception, that if kernel_k == 0, then user2_k == 1.
> 
> 
> The optlen argument is treated like this -- when zero, kernel returns
> the amount of sock_fprog elements in filter, otherwise it should be
> large enough for the sock_fprog array.
> 
> changes since v1:
> * Declared SO_GET_FILTER in all arch headers
> * Added decode of vlan-tag codes
> 
> Signed-off-by: Pavel Emelyanov <xemul@...allels.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists