1. Patchew
  2. linux
  3. [PATCH v1 0/6] seccomp: support nested listeners
  4. View patch

[PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener

Alexander Mikhalitsyn posted 6 patches 2 months, 1 week ago
There is a newer version of this series
[PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Alexander Mikhalitsyn 2 months, 1 week ago 
Prepare seccomp_run_filters() function to support more than one listener
in the seccomp tree. In this patch, we only introduce a new
struct seccomp_filter_matches with kdoc and modify seccomp_run_filters()
signature correspondingly.

No functional change intended.

Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 kernel/seccomp.c | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f944ea5a2716..c9a1062a53bd 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -237,6 +237,9 @@ struct seccomp_filter {
 /* Limit any path through the tree to 256KB worth of instructions. */
 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
 
+/* Limit number of listeners through the tree. */
+#define MAX_LISTENERS_PER_PATH 8
+
 /*
  * Endianness is explicitly ignored and left for BPF program authors to manage
  * as per the specific architecture.
@@ -391,18 +394,38 @@ static inline bool seccomp_cache_check_allow(const struct seccomp_filter *sfilte
 }
 #endif /* SECCOMP_ARCH_NATIVE */
 
+/**
+ * struct seccomp_filter_matches - container for seccomp filter match results
+ *
+ * @n: A number of filters matched.
+ * @filters: An array of (struct seccomp_filter) pointers.
+ *	     Holds pointers to filters that matched during evaluation.
+ *	     A first one in the array is the one with the least permissive
+ *	     action result.
+ *
+ * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
+ * only the most restrictive filter is stored in the array's first element.
+ * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
+ * all filters that resulted in the same action to support multiple listeners
+ * in seccomp tree.
+ */
+struct seccomp_filter_matches {
+	unsigned char n;
+	struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
+};
+
 #define ACTION_ONLY(ret) ((s32)((ret) & (SECCOMP_RET_ACTION_FULL)))
 /**
  * seccomp_run_filters - evaluates all seccomp filters against @sd
  * @sd: optional seccomp data to be passed to filters
- * @match: stores struct seccomp_filter that resulted in the return value,
+ * @matches: array of struct seccomp_filter pointers that resulted in the return value,
  *         unless filter returned SECCOMP_RET_ALLOW, in which case it will
  *         be unchanged.
  *
  * Returns valid seccomp BPF response codes.
  */
 static u32 seccomp_run_filters(const struct seccomp_data *sd,
-			       struct seccomp_filter **match)
+			       struct seccomp_filter_matches *matches)
 {
 	u32 ret = SECCOMP_RET_ALLOW;
 	/* Make sure cross-thread synced filter points somewhere sane. */
@@ -425,7 +448,8 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
 
 		if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
 			ret = cur_ret;
-			*match = f;
+			matches->n = 1;
+			matches->filters[0] = f;
 		}
 	}
 	return ret;
@@ -1252,6 +1276,7 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
 {
 	u32 filter_ret, action;
 	struct seccomp_data sd;
+	struct seccomp_filter_matches matches = {};
 	struct seccomp_filter *match = NULL;
 	int data;
 
@@ -1263,7 +1288,9 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
 
 	populate_seccomp_data(&sd);
 
-	filter_ret = seccomp_run_filters(&sd, &match);
+	filter_ret = seccomp_run_filters(&sd, &matches);
+
+	match = matches.filters[0];
 	data = filter_ret & SECCOMP_RET_DATA;
 	action = filter_ret & SECCOMP_RET_ACTION_FULL;
 
-- 
2.43.0
Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Kees Cook 2 months, 1 week ago 
On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> Prepare seccomp_run_filters() function to support more than one listener
> in the seccomp tree. In this patch, we only introduce a new
> struct seccomp_filter_matches with kdoc and modify seccomp_run_filters()
> signature correspondingly.
> 
> No functional change intended.
> 
> Cc: linux-doc@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Kees Cook <kees@kernel.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Will Drewry <wad@chromium.org>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: Shuah Khan <shuah@kernel.org>
> Cc: Tycho Andersen <tycho@tycho.pizza>
> Cc: Andrei Vagin <avagin@gmail.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Stéphane Graber <stgraber@stgraber.org>
> Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
> ---
>  kernel/seccomp.c | 35 +++++++++++++++++++++++++++++++----
>  1 file changed, 31 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index f944ea5a2716..c9a1062a53bd 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -237,6 +237,9 @@ struct seccomp_filter {
>  /* Limit any path through the tree to 256KB worth of instructions. */
>  #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
>  
> +/* Limit number of listeners through the tree. */
> +#define MAX_LISTENERS_PER_PATH 8
> +
>  /*
>   * Endianness is explicitly ignored and left for BPF program authors to manage
>   * as per the specific architecture.
> @@ -391,18 +394,38 @@ static inline bool seccomp_cache_check_allow(const struct seccomp_filter *sfilte
>  }
>  #endif /* SECCOMP_ARCH_NATIVE */
>  
> +/**
> + * struct seccomp_filter_matches - container for seccomp filter match results
> + *
> + * @n: A number of filters matched.
> + * @filters: An array of (struct seccomp_filter) pointers.
> + *	     Holds pointers to filters that matched during evaluation.
> + *	     A first one in the array is the one with the least permissive
> + *	     action result.
> + *
> + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> + * only the most restrictive filter is stored in the array's first element.
> + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> + * all filters that resulted in the same action to support multiple listeners
> + * in seccomp tree.
> + */
> +struct seccomp_filter_matches {
> +	unsigned char n;
> +	struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
> +};
> +
>  #define ACTION_ONLY(ret) ((s32)((ret) & (SECCOMP_RET_ACTION_FULL)))
>  /**
>   * seccomp_run_filters - evaluates all seccomp filters against @sd
>   * @sd: optional seccomp data to be passed to filters
> - * @match: stores struct seccomp_filter that resulted in the return value,
> + * @matches: array of struct seccomp_filter pointers that resulted in the return value,
>   *         unless filter returned SECCOMP_RET_ALLOW, in which case it will
>   *         be unchanged.
>   *
>   * Returns valid seccomp BPF response codes.
>   */
>  static u32 seccomp_run_filters(const struct seccomp_data *sd,
> -			       struct seccomp_filter **match)
> +			       struct seccomp_filter_matches *matches)
>  {
>  	u32 ret = SECCOMP_RET_ALLOW;
>  	/* Make sure cross-thread synced filter points somewhere sane. */
> @@ -425,7 +448,8 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
>  
>  		if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
>  			ret = cur_ret;
> -			*match = f;
> +			matches->n = 1;
> +			matches->filters[0] = f;
>  		}
>  	}
>  	return ret;
> @@ -1252,6 +1276,7 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
>  {
>  	u32 filter_ret, action;
>  	struct seccomp_data sd;
> +	struct seccomp_filter_matches matches = {};

I was surprised to see this didn't induce a stack protector check (due
to the array use). It does, however, expand the work done to clear local
variables (i.e. this adds 9 unsigned long zeroings to the default case).

Regardless, I'll read this thread more closely in time for the LPC
session; I'm not exactly opposed to allowing multiple listeners, but I
do want to meditate on the safety logic (which I see you've spent time
thinking about too).

Thanks!

-Kees

-- 
Kees Cook
Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Aleksandr Mikhalitsyn 2 months, 1 week ago 
On Tue, Dec 2, 2025 at 9:26 PM Kees Cook <kees@kernel.org> wrote:
>
> On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> > Prepare seccomp_run_filters() function to support more than one listener
> > in the seccomp tree. In this patch, we only introduce a new
> > struct seccomp_filter_matches with kdoc and modify seccomp_run_filters()
> > signature correspondingly.
> >
> > No functional change intended.
> >
> > Cc: linux-doc@vger.kernel.org
> > Cc: linux-kernel@vger.kernel.org
> > Cc: Kees Cook <kees@kernel.org>
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Will Drewry <wad@chromium.org>
> > Cc: Jonathan Corbet <corbet@lwn.net>
> > Cc: Shuah Khan <shuah@kernel.org>
> > Cc: Tycho Andersen <tycho@tycho.pizza>
> > Cc: Andrei Vagin <avagin@gmail.com>
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Stéphane Graber <stgraber@stgraber.org>
> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
> > ---
> >  kernel/seccomp.c | 35 +++++++++++++++++++++++++++++++----
> >  1 file changed, 31 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index f944ea5a2716..c9a1062a53bd 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -237,6 +237,9 @@ struct seccomp_filter {
> >  /* Limit any path through the tree to 256KB worth of instructions. */
> >  #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
> >
> > +/* Limit number of listeners through the tree. */
> > +#define MAX_LISTENERS_PER_PATH 8
> > +
> >  /*
> >   * Endianness is explicitly ignored and left for BPF program authors to manage
> >   * as per the specific architecture.
> > @@ -391,18 +394,38 @@ static inline bool seccomp_cache_check_allow(const struct seccomp_filter *sfilte
> >  }
> >  #endif /* SECCOMP_ARCH_NATIVE */
> >
> > +/**
> > + * struct seccomp_filter_matches - container for seccomp filter match results
> > + *
> > + * @n: A number of filters matched.
> > + * @filters: An array of (struct seccomp_filter) pointers.
> > + *        Holds pointers to filters that matched during evaluation.
> > + *        A first one in the array is the one with the least permissive
> > + *        action result.
> > + *
> > + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> > + * only the most restrictive filter is stored in the array's first element.
> > + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> > + * all filters that resulted in the same action to support multiple listeners
> > + * in seccomp tree.
> > + */
> > +struct seccomp_filter_matches {
> > +     unsigned char n;
> > +     struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
> > +};
> > +
> >  #define ACTION_ONLY(ret) ((s32)((ret) & (SECCOMP_RET_ACTION_FULL)))
> >  /**
> >   * seccomp_run_filters - evaluates all seccomp filters against @sd
> >   * @sd: optional seccomp data to be passed to filters
> > - * @match: stores struct seccomp_filter that resulted in the return value,
> > + * @matches: array of struct seccomp_filter pointers that resulted in the return value,
> >   *         unless filter returned SECCOMP_RET_ALLOW, in which case it will
> >   *         be unchanged.
> >   *
> >   * Returns valid seccomp BPF response codes.
> >   */
> >  static u32 seccomp_run_filters(const struct seccomp_data *sd,
> > -                            struct seccomp_filter **match)
> > +                            struct seccomp_filter_matches *matches)
> >  {
> >       u32 ret = SECCOMP_RET_ALLOW;
> >       /* Make sure cross-thread synced filter points somewhere sane. */
> > @@ -425,7 +448,8 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
> >
> >               if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
> >                       ret = cur_ret;
> > -                     *match = f;
> > +                     matches->n = 1;
> > +                     matches->filters[0] = f;
> >               }
> >       }
> >       return ret;
> > @@ -1252,6 +1276,7 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> >  {
> >       u32 filter_ret, action;
> >       struct seccomp_data sd;
> > +     struct seccomp_filter_matches matches = {};
>

Hi Kees,

Thanks for looking into this stuff! ;)

> I was surprised to see this didn't induce a stack protector check (due
> to the array use). It does, however, expand the work done to clear local
> variables (i.e. this adds 9 unsigned long zeroings to the default case).

Actually, by saying this you've inspired me to look at this stuff with
a fresh mind again
and I have a feeling that I can probably make it work with just one additional
struct seccomp_filter pointer on the stack, instead of adding extra 8
pointers... :)
Let me make another iteration on this and send a -v3 then.

>I was surprised to see this didn't induce a stack protector check (due
> to the array use).

Also, sorry if my question is stupid, but what do you mean by stack
protector check in
this case? Just a check for an array index before writing to it? Or
something more generic?

>
> Regardless, I'll read this thread more closely in time for the LPC
> session; I'm not exactly opposed to allowing multiple listeners, but I
> do want to meditate on the safety logic (which I see you've spent time
> thinking about too).

Thanks, Kees!

>
> Thanks!

Kind regards,
Alex

>
> -Kees
>
> --
> Kees Cook
Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Tycho Andersen 2 months, 1 week ago 
On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> +/**
> + * struct seccomp_filter_matches - container for seccomp filter match results
> + *
> + * @n: A number of filters matched.
> + * @filters: An array of (struct seccomp_filter) pointers.
> + *	     Holds pointers to filters that matched during evaluation.
> + *	     A first one in the array is the one with the least permissive
> + *	     action result.
> + *
> + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> + * only the most restrictive filter is stored in the array's first element.
> + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> + * all filters that resulted in the same action to support multiple listeners
> + * in seccomp tree.
> + */
> +struct seccomp_filter_matches {
> +	unsigned char n;
> +	struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];

Maybe a __counted_by() for this?

Tycho
Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Aleksandr Mikhalitsyn 2 months, 1 week ago 
On Mon, Dec 1, 2025 at 3:24 PM Tycho Andersen <tycho@kernel.org> wrote:
>
> On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> > +/**
> > + * struct seccomp_filter_matches - container for seccomp filter match results
> > + *
> > + * @n: A number of filters matched.
> > + * @filters: An array of (struct seccomp_filter) pointers.
> > + *        Holds pointers to filters that matched during evaluation.
> > + *        A first one in the array is the one with the least permissive
> > + *        action result.
> > + *
> > + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> > + * only the most restrictive filter is stored in the array's first element.
> > + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> > + * all filters that resulted in the same action to support multiple listeners
> > + * in seccomp tree.
> > + */
> > +struct seccomp_filter_matches {
> > +     unsigned char n;
> > +     struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
>
> Maybe a __counted_by() for this?

I thought that __counted_by() only makes sense for flex arrays, while
in this case we have a static array.

Kind regards,
Alex

>
> Tycho
Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more than one listener
Posted by Tycho Andersen 2 months, 1 week ago 
On Tue, Dec 02, 2025 at 12:58:14PM +0100, Aleksandr Mikhalitsyn wrote:
> On Mon, Dec 1, 2025 at 3:24 PM Tycho Andersen <tycho@kernel.org> wrote:
> >
> > On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> > > +/**
> > > + * struct seccomp_filter_matches - container for seccomp filter match results
> > > + *
> > > + * @n: A number of filters matched.
> > > + * @filters: An array of (struct seccomp_filter) pointers.
> > > + *        Holds pointers to filters that matched during evaluation.
> > > + *        A first one in the array is the one with the least permissive
> > > + *        action result.
> > > + *
> > > + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> > > + * only the most restrictive filter is stored in the array's first element.
> > > + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> > > + * all filters that resulted in the same action to support multiple listeners
> > > + * in seccomp tree.
> > > + */
> > > +struct seccomp_filter_matches {
> > > +     unsigned char n;
> > > +     struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
> >
> > Maybe a __counted_by() for this?
> 
> I thought that __counted_by() only makes sense for flex arrays, while
> in this case we have a static array.

Oh, duh, you're right of course.

Tycho

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.