lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 20 May 2014 10:57:13 +0200
From:	Daniel Borkmann <>
To:	Alexei Starovoitov <>
CC:	"David S. Miller" <>,
	Eric Dumazet <>,
	Kees Cook <>,
Subject: Re: [PATCH net-next] net: filter: cleanup invocation of internal

On 05/19/2014 11:56 PM, Alexei Starovoitov wrote:
> Kernel API for classic BPF socket filters is:
> sk_unattached_filter_create() - validate classic BPF, convert, JIT
> SK_RUN_FILTER() - run it
> sk_unattached_filter_destroy() - destroy socket filter
> Cleanup internal BPF kernel API as following:
> sk_filter_select_runtime() - final step of internal BPF creation.
>    Try to JIT internal BPF program, if JIT is not available select interpreter
> SK_RUN_FILTER() - run it
> sk_filter_free() - free internal BPF program
> Disallow direct calls to BPF interpreter. Execution of the BPF program should
> be done with SK_RUN_FILTER() macro.
> Example of internal BPF create, run, destroy:
>    struct sk_filter *fp;
>    fp = kzalloc(sk_filter_size(prog_len), GFP_KERNEL);
>    memcpy(fp->insni, prog, prog_len * sizeof(fp->insni[0]));
>    fp->len = prog_len;
>    sk_filter_select_runtime(fp);
>    SK_RUN_FILTER(fp, ctx);
>    sk_filter_free(fp);
> Sockets, seccomp, testsuite, tracing are using different ways to populate
> sk_filter, so first steps of program creation are not common.
> Signed-off-by: Alexei Starovoitov <>

I think it makes sense and we can avoid directly exposing the symbol
__sk_run_filter() resp. its aliases.

Acked-by: Daniel Borkmann <>
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists