bpf: return integer error codes from gen_bpf_release()

Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

6 files changed, 26 insertions, 16 deletions

diff --git a/doc/man/man3/seccomp_export_bpf.3 b/doc/man/man3/seccomp_export_bpf.3
index bb0627c..68e735f 100644
--- a/doc/man/man3/seccomp_export_bpf.3
+++ b/doc/man/man3/seccomp_export_bpf.3
@@ -51,6 +51,9 @@ failure:
 .B -ECANCELED
 There was a kernel failure beyond the control of the library.
 .TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
 .B -EINVAL
 Invalid input, either the context or architecture token is invalid.
 .TP
diff --git a/doc/man/man3/seccomp_load.3 b/doc/man/man3/seccomp_load.3
index 15ace53..dcca7f5 100644
--- a/doc/man/man3/seccomp_load.3
+++ b/doc/man/man3/seccomp_load.3
@@ -41,6 +41,9 @@ Returns zero on success or one of the following error codes on failure:
 .B -ECANCELED
 There was a kernel failure beyond the control of the library.
 .TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
 .B -EINVAL
 Invalid input, either the context or architecture token is invalid.
 .TP
diff --git a/src/api.c b/src/api.c
index ba8fa5d..e01b196 100644
--- a/src/api.c
+++ b/src/api.c
@@ -653,9 +653,9 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd)
 	if (_ctx_valid(ctx))
 		return _rc_filter(-EINVAL);
 
-	program = gen_bpf_generate((struct db_filter_col *)ctx);
-	if (program == NULL)
-		return _rc_filter(-ENOMEM);
+	rc = gen_bpf_generate((struct db_filter_col *)ctx, &program);
+	if (rc < 0)
+		return _rc_filter(rc);
 	rc = write(fd, program->blks, BPF_PGM_SIZE(program));
 	gen_bpf_release(program);
 	if (rc < 0)
diff --git a/src/gen_bpf.c b/src/gen_bpf.c
index 5e1aad5..a8b3314 100644
--- a/src/gen_bpf.c
+++ b/src/gen_bpf.c
@@ -2240,34 +2240,37 @@ build_bpf_free_blks:
 /**
  * Generate a BPF representation of the filter DB
  * @param col the seccomp filter collection
+ * @param prgm_ptr the bpf program pointer
  *
  * This function generates a BPF representation of the given filter collection.
- * Returns a pointer to a valid bpf_program on success, NULL on failure.
+ * Returns zero on success, negative values on failure.
  *
  */
-struct bpf_program *gen_bpf_generate(const struct db_filter_col *col)
+int gen_bpf_generate(const struct db_filter_col *col,
+		     struct bpf_program **prgm_ptr)
 {
 	int rc;
 	struct bpf_state state;
 	struct bpf_program *prgm;
 
 	if (col->filter_cnt == 0)
-		return NULL;
+		return -EINVAL;
 
 	memset(&state, 0, sizeof(state));
 	state.attr = &col->attr;
 
-	prgm = zmalloc(sizeof(*(prgm)));
-	if (prgm == NULL)
-		return NULL;
-	state.bpf = prgm;
+	state.bpf = zmalloc(sizeof(*(prgm)));
+	if (state.bpf == NULL)
+		return -ENOMEM;
 
 	rc = _gen_bpf_build_bpf(&state, col);
-	if (rc == 0)
+	if (rc == 0) {
+		*prgm_ptr = state.bpf;
 		state.bpf = NULL;
+	}
 	_state_release(&state);
 
-	return prgm;
+	return rc;
 }
 
 /**
diff --git a/src/gen_bpf.h b/src/gen_bpf.h
index 14484e7..8f886ae 100644
--- a/src/gen_bpf.h
+++ b/src/gen_bpf.h
@@ -36,7 +36,8 @@ struct bpf_program {
 #define BPF_PGM_SIZE(x) \
 	((x)->blk_cnt * sizeof(*((x)->blks)))
 
-struct bpf_program *gen_bpf_generate(const struct db_filter_col *col);
+int gen_bpf_generate(const struct db_filter_col *col,
+		     struct bpf_program **prgm_ptr);
 void gen_bpf_release(struct bpf_program *program);
 
 #endif
diff --git a/src/system.c b/src/system.c
index d73aaef..e2b2a9d 100644
--- a/src/system.c
+++ b/src/system.c
@@ -303,9 +303,9 @@ int sys_filter_load(struct db_filter_col *col)
 	int rc;
 	struct bpf_program *prgm = NULL;
 
-	prgm = gen_bpf_generate(col);
-	if (prgm == NULL)
-		return -ENOMEM;
+	rc = gen_bpf_generate(col, &prgm);
+	if (rc < 0)
+		return rc;
 
 	/* attempt to set NO_NEW_PRIVS */
 	if (col->attr.nnp_enable) {