From 3a1d1c977065f204b96293cccfe7d3e5aa0d7ace Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sat, 6 Jun 2020 15:59:55 -0400 Subject: bpf: return integer error codes from gen_bpf_release() Acked-by: Tom Hromatka Signed-off-by: Paul Moore --- doc/man/man3/seccomp_export_bpf.3 | 3 +++ doc/man/man3/seccomp_load.3 | 3 +++ src/api.c | 6 +++--- src/gen_bpf.c | 21 ++++++++++++--------- src/gen_bpf.h | 3 ++- src/system.c | 6 +++--- 6 files changed, 26 insertions(+), 16 deletions(-) diff --git a/doc/man/man3/seccomp_export_bpf.3 b/doc/man/man3/seccomp_export_bpf.3 index bb0627c..68e735f 100644 --- a/doc/man/man3/seccomp_export_bpf.3 +++ b/doc/man/man3/seccomp_export_bpf.3 @@ -51,6 +51,9 @@ failure: .B -ECANCELED There was a kernel failure beyond the control of the library. .TP +.B -EFAULT +Internal libseccomp failure. +.TP .B -EINVAL Invalid input, either the context or architecture token is invalid. .TP diff --git a/doc/man/man3/seccomp_load.3 b/doc/man/man3/seccomp_load.3 index 15ace53..dcca7f5 100644 --- a/doc/man/man3/seccomp_load.3 +++ b/doc/man/man3/seccomp_load.3 @@ -41,6 +41,9 @@ Returns zero on success or one of the following error codes on failure: .B -ECANCELED There was a kernel failure beyond the control of the library. .TP +.B -EFAULT +Internal libseccomp failure. +.TP .B -EINVAL Invalid input, either the context or architecture token is invalid. .TP diff --git a/src/api.c b/src/api.c index ba8fa5d..e01b196 100644 --- a/src/api.c +++ b/src/api.c @@ -653,9 +653,9 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd) if (_ctx_valid(ctx)) return _rc_filter(-EINVAL); - program = gen_bpf_generate((struct db_filter_col *)ctx); - if (program == NULL) - return _rc_filter(-ENOMEM); + rc = gen_bpf_generate((struct db_filter_col *)ctx, &program); + if (rc < 0) + return _rc_filter(rc); rc = write(fd, program->blks, BPF_PGM_SIZE(program)); gen_bpf_release(program); if (rc < 0) diff --git a/src/gen_bpf.c b/src/gen_bpf.c index 5e1aad5..a8b3314 100644 --- a/src/gen_bpf.c +++ b/src/gen_bpf.c @@ -2240,34 +2240,37 @@ build_bpf_free_blks: /** * Generate a BPF representation of the filter DB * @param col the seccomp filter collection + * @param prgm_ptr the bpf program pointer * * This function generates a BPF representation of the given filter collection. - * Returns a pointer to a valid bpf_program on success, NULL on failure. + * Returns zero on success, negative values on failure. * */ -struct bpf_program *gen_bpf_generate(const struct db_filter_col *col) +int gen_bpf_generate(const struct db_filter_col *col, + struct bpf_program **prgm_ptr) { int rc; struct bpf_state state; struct bpf_program *prgm; if (col->filter_cnt == 0) - return NULL; + return -EINVAL; memset(&state, 0, sizeof(state)); state.attr = &col->attr; - prgm = zmalloc(sizeof(*(prgm))); - if (prgm == NULL) - return NULL; - state.bpf = prgm; + state.bpf = zmalloc(sizeof(*(prgm))); + if (state.bpf == NULL) + return -ENOMEM; rc = _gen_bpf_build_bpf(&state, col); - if (rc == 0) + if (rc == 0) { + *prgm_ptr = state.bpf; state.bpf = NULL; + } _state_release(&state); - return prgm; + return rc; } /** diff --git a/src/gen_bpf.h b/src/gen_bpf.h index 14484e7..8f886ae 100644 --- a/src/gen_bpf.h +++ b/src/gen_bpf.h @@ -36,7 +36,8 @@ struct bpf_program { #define BPF_PGM_SIZE(x) \ ((x)->blk_cnt * sizeof(*((x)->blks))) -struct bpf_program *gen_bpf_generate(const struct db_filter_col *col); +int gen_bpf_generate(const struct db_filter_col *col, + struct bpf_program **prgm_ptr); void gen_bpf_release(struct bpf_program *program); #endif diff --git a/src/system.c b/src/system.c index d73aaef..e2b2a9d 100644 --- a/src/system.c +++ b/src/system.c @@ -303,9 +303,9 @@ int sys_filter_load(struct db_filter_col *col) int rc; struct bpf_program *prgm = NULL; - prgm = gen_bpf_generate(col); - if (prgm == NULL) - return -ENOMEM; + rc = gen_bpf_generate(col, &prgm); + if (rc < 0) + return rc; /* attempt to set NO_NEW_PRIVS */ if (col->attr.nnp_enable) { -- cgit v1.2.1