From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE9B030BB9E
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591861; cv=none;
 b=LjMO5lqNjyHk/Y+X5ZXVkJN+plu7V9eMqkCSTrdjVVjICFxIO2pAlkpmVEZbcYUtBfuZLLc3KnpsgH6JFU+jsF+9RPENCkYKX7Pc+TbTNPrEQ1reshMpXTxoj2KuIxJjLODWveBDRAci9mRL/rTP1J93iEUBYKlHk/wv+HVvyXY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591861; c=relaxed/simple;
	bh=/AVZ1KTl67UPm9oJo5daI+HtXeVjXE0ygjNScp5tOsM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=otOmGujDjC6cQhZzHJj3BDACcT/LKL4Ai8kjENPbI5qiGhrS4OsFBV3OQe7UBw/7KBTSlKOVG14Y/mEYua2GpRKftYZlxF0Tb6PJbFeC2gBCuG7CgMYOjUCi2SIpzE9W8ipMsDDQK9XJWfZC6Aj9ImNRwM66aCEtWo2EYbMMX1A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=D/dae50V; arc=none smtp.client-ip=185.125.188.123
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="D/dae50V"
Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com
 [209.85.218.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 93E213F0B8
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591856;
	bh=7pZ0iEmlRC+UmoLWz0HVLhgvBs5Lg5e5yJ2fSZ1YjvY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=D/dae50VQO9wiRgn+1/EN4+b8E8U/UCwyXll6H/05MGOAPotteLdQFU+1m4Ww1FG9
	 fHyefQ97ZiER9ApArflJ9Y0e+AEDg/hbq7+uVmr3kMjNDp4T2uqUx9gdZOK89Dio/Z
	 xsOdCv+d0LfGj1+evnaJARGm0DDrF5iw7lWNu/UrjvliofvqJ/aAF4HhpdxYmDe8pp
	 T6Scv/zzWIr2VrOtHOqviiR7LX/WTpvmJopWbetqQE+oELLR9OoPPPZGCeCQyyVtQ+
	 JQBOfefvu54nJphaYYVi2U8znUjWDsjafRlhy8QPm+6VIsSHULClJEJ9PYLVLiF1/p
	 76LJbGzWbMRWRJNKnRHPA2Tf6lybDCJSVjtViDBx6axNYYH1Fr7K/5hwznjpGmMLLn
	 gn01ncIoiC4QNitRSQpuA74E/Ui5SFu+mTIM+lX4d3R8g/UyhaQ0o+sD8Glf/j81cW
	 gZmL/UVkwOpr8hUUgiJOouCFEAUYc2kUDGA70hyPgUTQzr3kG98BVSqGZizxkDwLl7
	 hjeIxP0rK5NOpoTPhfuSzOpQE7uXMP5NEeLk9LeOEPXTRU8SJI7x6F4DMyxmmKuHkZ
	 yXdKM0JCwdEueFcb6uHd+VNe24uO8O1nIuFOmVl0EUtp7ciwmxR+/IQNs+0CMn8UNO
	 8hHJ4FQD6UyG2GjQlx8gXWpk=
Received: by mail-ej1-f69.google.com with SMTP id
 a640c23a62f3a-b735eea0bddso352285666b.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591856; x=1765196656;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=7pZ0iEmlRC+UmoLWz0HVLhgvBs5Lg5e5yJ2fSZ1YjvY=;
        b=KdM3uTjzK9h54FRWNPi6A8elnq7HUQzY8UtaraMuEHRlKkYs9F7cXMHwq4QN8UKrx4
         uGVOyKt+3CeUByqETJYkWIBOaRGYh7SfBcnTrGw+DU7BHXZlgXqSp2scoceqKrXLpN49
         x3riqwxYuD3hUFp1+h1uPuiEOfI51Sp1ULRtwX1wC4S72dd46XZV64Bc0blw6X+OY2XE
         mloZdKKc5fHbaJf7Mrc7o+7frPrNDIo9vckG8u5+KUjMn+z8PjgPTBv3dZbz7Yy9kR1v
         j8jzxiz+Zb1cUuqdQ/aJDJaUgTn5fpDKzPOf5TXv+KZZ/PyHO7+Jjk9wwpHm5kBkoK1q
         kbDg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVWaW5Rh4OYaS6TTkkAvud4oC8Zlh7XEOowsiKQB0EHTPNSewT1ZZGANDB+UMgQu6H9iZpTLgEcmlulLKc=@vger.kernel.org
X-Gm-Message-State: AOJu0YznJmeFJnVApwmij0npwZ/4SzL+mkv+4+jVGeqVVdy+rHbL8X4d
	j0VWxC1HfiCq0MgutZHpLXdOy4kf9/LShxpokNClsWwfKhqN2eAc0iaDhAQ+LsTaoHaBprK9CrN
	Qm7ECGvn2a5T5J+K6G/Yft9XaWwhmpTdD4dFWtCamJim73WdZxWVfD3QhmqZXv0BPtAIxTMgVNa
	9mjjuG5g==
X-Gm-Gg: ASbGncumUjKpzApYkpZQI9LzPWfnS4j6p9POvYnaOkjiAXn+g7SVLkf+KUQJFZXefmO
	xQCuftwCS5/HZYANf38indUzh4hR6ca2g2OL1zScY5TfADgmgukNUQD1N7FJuOf9PfJ8mPmZJg9
	k9kppuOXkINcGiljsTTyTIxGNqjYurjf0xw5L+gBIYFw1VCj2zjFKAtg67f0ihBojD/hy7V5t7q
	uxDgVWh+EHMYCIVRUKcD4nOYIf8gfAqdb/ILAlLiYTSOYb6WIwlDz4KRYy61DxlJn6Zyw3Kj4V2
	AGfn+Z3DPxdYoswn2Ica9ezfUZpHeDEI6oAh9SFHD80ccneJ/jSoLNvu5AeEw1PXvb/p7bFXjb9
	QNIy02wYwRUbtjj7O+Oe+v8PlytrMMKp8opxpRkkWqiq6pKYgaqhg2TRnStRibtIBzJzEMmzQrh
	muTIJiGSZokLMATK2I7j1ZAUUA
X-Received: by 2002:a17:907:da4:b0:b73:3ced:2f66 with SMTP id
 a640c23a62f3a-b767159eea3mr3956230066b.14.1764591856095;
        Mon, 01 Dec 2025 04:24:16 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFIZW7AV81jLeOVeNdSzCklwOYrFNBodBijapwm/R3JQVkCZsHyMjBHE1GdiGc2mvTdOFtc5A==
X-Received: by 2002:a17:907:da4:b0:b73:3ced:2f66 with SMTP id
 a640c23a62f3a-b767159eea3mr3956227266b.14.1764591855671;
        Mon, 01 Dec 2025 04:24:15 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:15 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v1 1/6] seccomp: remove unused argument from
 seccomp_do_user_notification
Date: Mon,  1 Dec 2025 13:23:58 +0100
Message-ID: <20251201122406.105045-2-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Remove unused this_syscall argument from seccomp_do_user_notification()
and add kdoc for it.

Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 kernel/seccomp.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3bbfba30a777..f944ea5a2716 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1142,8 +1142,18 @@ static bool should_sleep_killable(struct seccomp_fil=
ter *match,
 	return match->wait_killable_recv && n->state >=3D SECCOMP_NOTIFY_SENT;
 }
=20
-static int seccomp_do_user_notification(int this_syscall,
-					struct seccomp_filter *match,
+/**
+ * seccomp_do_user_notification - sends seccomp notification to the usersp=
ace
+ * listener and waits for a reply.
+ * @match: seccomp filter we are notifying
+ * @sd: seccomp data (syscall_nr, args, etc) to be passed to the userspace=
 listener
+ *
+ * Returns
+ *   - -1 on success if userspace provided a reply for the syscall,
+ *   - -1 on interrupted wait,
+ *   - 0  on success if userspace requested to continue the syscall
+ */
+static int seccomp_do_user_notification(struct seccomp_filter *match,
 					const struct seccomp_data *sd)
 {
 	int err;
@@ -1317,7 +1327,7 @@ static int __seccomp_filter(int this_syscall, const b=
ool recheck_after_trace)
 		return 0;
=20
 	case SECCOMP_RET_USER_NOTIF:
-		if (seccomp_do_user_notification(this_syscall, match, &sd))
+		if (seccomp_do_user_notification(match, &sd))
 			goto skip;
=20
 		return 0;
--=20
2.43.0

From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53A8D30C63B
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591867; cv=none;
 b=tbWmc9cHAze67TlW0Uz4EHgMPLB/G6jGba7nfvIl/BBF2Q5V1FekT4QjtquQWQZDUQSW+FKYp0AP6UFNivwEJo5NQ9AlLivHjUkGTGmM1tiLV12baQvv7i0oWK0NGBAjBsQB6MJAihrTLlyVhB5j3Rc+CZ0aoivPUilNWe2UGnM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591867; c=relaxed/simple;
	bh=zX8NS3dWkP2kRHi9JuvLsUigUyl5bWfZvHSDrk2+hPs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=g4EYLn+14v0K0EX/HSQnS0xHV06g8+RQV6RWconpf4WCIakzmdwPlZNJe+bX2dS/4Plw+XgqXV6G8Oe7LOD8CbIY2/9j3lF9x/bP5HPaqfldmIPrK4qbH9xJYjR+2N2gtqH6UQlr8UPsSMsFKgIGbP8Wn2hMjFPA9/EgY6lUkQU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=hYjyGI8c; arc=none smtp.client-ip=185.125.188.123
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="hYjyGI8c"
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 706A93F182
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591859;
	bh=GzOHE0e9hBLU7il+hYgcPRfRQ1LLK3xgtQjcXzvOJu8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=hYjyGI8c8XJXL7ztAscVs9vGSQAV8vwUxft8DWyLHfEOIiQS7HnfQny/3Sn1HXysN
	 tlkBqqy4me8VIwbImaWQ/grRE8jt3H9YiqlJmW7WsSJGwA/TD+/p8bn40L+E4j+RJU
	 lY78571Nesa5ENF8E5nIyMqRR38hUcoCIsE/Hhg4p/lQcWOozT4wICz5iTOPV6FHKx
	 IcW66YBqutNbMYyOFPtwSS/wy4NG3Dj85DIoLf4LwZxieEktgovEpmDrsKCexcIVw6
	 5Z0y78r6t9g5IQZw+b/7+wYb2pOMaQcILnRg+vyVYJ7TjXHHWIxKe26UVySJO+aqIi
	 Z3MNz0l6kmf1rCUsbt/3Ox53t+qzAhUDZVmcmwts4u50kq6n+kx6sYAfm+ipeudZUT
	 eo6yadbmWlMMLPuQk//YWEQTzizUqJCNoX1tLKo53tQoXHlhXHw1LzHF8BX7Uv4AW9
	 riVRSJtLCf9odMo0suMCO0411hzpZZyC+CcxYlXub6VJ36HzGWMbu6Hpas9I4roR/P
	 XMXrCMCH+ByXKDnw8UtzM9VTCyylMxxayTo8C2dNgUKv3IZTVlW7Oi5pruhpG5HAUz
	 dTIWb0Or0ptOK9OJjBzTD4TkNDnFafc05eajMu1rTDsideQ6F+KRRDMYQV9Ydybfad
	 N2Xq7QePuxsiP43Rhjxp29SA=
Received: by mail-ed1-f69.google.com with SMTP id
 4fb4d7f45d1cf-640c4609713so4865650a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591858; x=1765196658;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=GzOHE0e9hBLU7il+hYgcPRfRQ1LLK3xgtQjcXzvOJu8=;
        b=oKK/zAvICk3YWUBtdJnz1qol53V1d8HMguUufdHs6+UZTTyfynoeMwwje78S4vxPNa
         37kIJyDgK+RBG64M9v+UU/iIsRQWXI5w+MNFq05KlVWSKh1Wr6csVinlcCkSXlv2oqXm
         xXRpbUeYTaqgL6uuah3qbOoPMxjunMHafGNG1Iiy4H1EGH4dU93bQXWHzYX2ZMR722E8
         yTrrfdrOJ22x+gkgCsS8g9omG2xE2Pa15BWr0gXwJAU6j5yvJLL/yUSSeoNIhyNoZkW8
         AkqO4Dsbmvd0aTMpKrjwKFlJj6y1jAkcnMfDC2BYmpkp/Sf3FkF7e87+9Nl6AB/MVi4V
         024Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCU8RJMtWZan6zKVoilvJZaKXucPlH6vyImtqXIuDKIi6mFVdVXDc8AG88R6eTAsiHKMblAa0p9XpMPwVSE=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx8biYwaSJCwBDSfRPJ2qk/ufKSZsKWz7EY4fPrerBgnsuE991N
	073xV8f43UnQkHqrSv3/s9NMPRTo56wnRAO8Zg87I03c/lMlQu0UBnwIj071uEhsUsdpos/AKUa
	YZTu1LG6K1004ex69QAmey5fZ6CF6t8Wju3WU5qxZYGVtIbgvwHHGsqFdMXUXywux6YC33D+P+I
	fZ3QE5eA==
X-Gm-Gg: ASbGncssPTyEJ+6spDhZqr9Uyra1vFu92XfaqDr22j5OYu9Zro33fxmE9NYKIXB0UeG
	EyFX7nA50xTfIw+tdj9wLl1XYoPxPOSgZM21Wcw5G/VjojWUS2tMdulboUzPVZXgRPyltV/DaTQ
	XpdQEuNs1sUhKJq+0siQVah9yY9VWxYILSX3XeuN05NjRzaxmXfMYWcF21nSypE03vc+n4L3zeG
	V/FnQ1R7Cq08IVCXBOISQ8pMh5Yxqm/4KD32Qj+WJffQ99SdM8NHAqMMk0jkREE7nLju6E8weWH
	EFRson1W12jYuL4v/0yKNUiX6vkEhbC2wlEToNhweTqvEynrjJTxiakEEQTdK9V5FZNSpNFuZLF
	eP/wf3vNo4JnD9Gd6ck50z92UQczpCpYVa4EPPuO616Xe3ITnHlGoexJsGXJ9ax3Xlh8PR5wN7w
	7TDcJCI+u1PH1HK0GpMPqP7ePO
X-Received: by 2002:a05:6402:26c1:b0:647:5c87:8668 with SMTP id
 4fb4d7f45d1cf-6475c8786c8mr12140911a12.14.1764591858553;
        Mon, 01 Dec 2025 04:24:18 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFnjM0Qzg6CtgwzGYH8gmhz+bLP0gt4lrDJ9TM3/lU3ORJOfhu2tpvth2CTJnOUWADyLTe8JA==
X-Received: by 2002:a05:6402:26c1:b0:647:5c87:8668 with SMTP id
 4fb4d7f45d1cf-6475c8786c8mr12140891a12.14.1764591858195;
        Mon, 01 Dec 2025 04:24:18 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:17 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support more
 than one listener
Date: Mon,  1 Dec 2025 13:23:59 +0100
Message-ID: <20251201122406.105045-3-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Prepare seccomp_run_filters() function to support more than one listener
in the seccomp tree. In this patch, we only introduce a new
struct seccomp_filter_matches with kdoc and modify seccomp_run_filters()
signature correspondingly.

No functional change intended.

Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 kernel/seccomp.c | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f944ea5a2716..c9a1062a53bd 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -237,6 +237,9 @@ struct seccomp_filter {
 /* Limit any path through the tree to 256KB worth of instructions. */
 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
=20
+/* Limit number of listeners through the tree. */
+#define MAX_LISTENERS_PER_PATH 8
+
 /*
  * Endianness is explicitly ignored and left for BPF program authors to ma=
nage
  * as per the specific architecture.
@@ -391,18 +394,38 @@ static inline bool seccomp_cache_check_allow(const st=
ruct seccomp_filter *sfilte
 }
 #endif /* SECCOMP_ARCH_NATIVE */
=20
+/**
+ * struct seccomp_filter_matches - container for seccomp filter match resu=
lts
+ *
+ * @n: A number of filters matched.
+ * @filters: An array of (struct seccomp_filter) pointers.
+ *	     Holds pointers to filters that matched during evaluation.
+ *	     A first one in the array is the one with the least permissive
+ *	     action result.
+ *
+ * If final action result is less (or more) permissive than SECCOMP_RET_US=
ER_NOTIF,
+ * only the most restrictive filter is stored in the array's first element.
+ * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
+ * all filters that resulted in the same action to support multiple listen=
ers
+ * in seccomp tree.
+ */
+struct seccomp_filter_matches {
+	unsigned char n;
+	struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
+};
+
 #define ACTION_ONLY(ret) ((s32)((ret) & (SECCOMP_RET_ACTION_FULL)))
 /**
  * seccomp_run_filters - evaluates all seccomp filters against @sd
  * @sd: optional seccomp data to be passed to filters
- * @match: stores struct seccomp_filter that resulted in the return value,
+ * @matches: array of struct seccomp_filter pointers that resulted in the =
return value,
  *         unless filter returned SECCOMP_RET_ALLOW, in which case it will
  *         be unchanged.
  *
  * Returns valid seccomp BPF response codes.
  */
 static u32 seccomp_run_filters(const struct seccomp_data *sd,
-			       struct seccomp_filter **match)
+			       struct seccomp_filter_matches *matches)
 {
 	u32 ret =3D SECCOMP_RET_ALLOW;
 	/* Make sure cross-thread synced filter points somewhere sane. */
@@ -425,7 +448,8 @@ static u32 seccomp_run_filters(const struct seccomp_dat=
a *sd,
=20
 		if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
 			ret =3D cur_ret;
-			*match =3D f;
+			matches->n =3D 1;
+			matches->filters[0] =3D f;
 		}
 	}
 	return ret;
@@ -1252,6 +1276,7 @@ static int __seccomp_filter(int this_syscall, const b=
ool recheck_after_trace)
 {
 	u32 filter_ret, action;
 	struct seccomp_data sd;
+	struct seccomp_filter_matches matches =3D {};
 	struct seccomp_filter *match =3D NULL;
 	int data;
=20
@@ -1263,7 +1288,9 @@ static int __seccomp_filter(int this_syscall, const b=
ool recheck_after_trace)
=20
 	populate_seccomp_data(&sd);
=20
-	filter_ret =3D seccomp_run_filters(&sd, &match);
+	filter_ret =3D seccomp_run_filters(&sd, &matches);
+
+	match =3D matches.filters[0];
 	data =3D filter_ret & SECCOMP_RET_DATA;
 	action =3D filter_ret & SECCOMP_RET_ACTION_FULL;
=20
--=20
2.43.0

From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-0.canonical.com
 (smtp-relay-internal-0.canonical.com [185.125.188.122])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B931E30BBB6
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.122
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591868; cv=none;
 b=DMDGwtOC5v3107JMAhC4I+xlDTP9APT5yaw/rA++p4iqaWk/XK9fCL4b04IfLIH636giK47orhsTWiYJVQKpPkXhVCaPtZFMapMyjNOZImCUN0ruKdlQjxZPTW2aBfs3NBTbt1fAH1jg7z09FVE6dOwL5NlErmn34eP36You0Rw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591868; c=relaxed/simple;
	bh=ROqAT17lsLKq+OAD8klz4rtDlUC6I1DaK48+5JEk5XI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=CbGy9MmX79oSOk/4zzKJMm7rxAXNIUiLvHjH6inho6gtcDKVRkw7Nau7XeLoTpK9BMMSWlzQYsk4hshuOpYQjS8M5sIMzovkK1UZilKTiOkzEBjdARONkMvdYKQtRiLfpfKDq4BqvpzQjRTug8NK8ZZajscUfh3r8TlBR+rKwrU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=Yr+kGOje; arc=none smtp.client-ip=185.125.188.122
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="Yr+kGOje"
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com
 [209.85.208.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4E0543F1F4
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591863;
	bh=uDGFNs0dlemtVhhnPYk5y/JrXd8r2GFrUs0Gv8oHyF8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=Yr+kGOjelw+t6zr4Cxa0zFmMD40IwQD0mhOfpqcsqsH+3JhykyDVPrWendBVvkEcJ
	 1TKevjJnJZwnLQiM6gNqwH2nLVjb+ZARKbHcKQh+alEJsY3pwLMwaKcU3mZT4USx7o
	 +mnQKT1z507z+ohosPd4mwPbyeinFYkZeuHgk3giHbOe2hf/d36HXLGDj1b4QvTMrx
	 sZhGfjGQcywGelQlsVuapOjqaw/RXICkIQpX6RvYHGf1aaHpZ6HvLvt4DSV2klbvUE
	 Tt+hJc9oZIW+EfmgmVEebNSGuFtbeCvDy9lXfIkLkTPqEf/pyrRVuGUQMhhvF2YVUw
	 PR02D7bEIe3Vgbo+9R6/0koQgxlH/s7489jgoqlGfJNe+txpfSFxMBKA7DABMYz87z
	 BCWldMZND1VZ5GUHEQn/G0Cx1BPKrf7EHH5torivLSIRi1vcQOsljTSl7F1KIGz9Xb
	 pEYREsmg+9dLh7puMbUfcwnucKBRlztGdY7ELUs+N/llrwBwNKaFyjbgUQKXP1WXJv
	 tkoNk3udgx9az9GvkAA5LUji271yALuy0wFsfZb7u82+KkVXaMI76wqcAd+D55hyzO
	 HZIt5gbSqHRDR3DgvJ1ngQqR82LwEYxpQPZPguVaA/DrT439KlEwOcgh56u5636E9g
	 Kggj7v94UTCueFDAwFL1dLM8=
Received: by mail-ed1-f72.google.com with SMTP id
 4fb4d7f45d1cf-6417677bf55so8785892a12.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591861; x=1765196661;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=uDGFNs0dlemtVhhnPYk5y/JrXd8r2GFrUs0Gv8oHyF8=;
        b=QUJOCxDg6P2Wa1uWJOdZKOZfBSy32JCVURjD/KJfSCiyNZ3EthTB/yLt+qSrgH5HhR
         Ri/D27lq6/612WmQM5QS8UxHljMJ55+1z63ZVM38qJ0sFa+qvNRdN4V2iR31vmufXJ6d
         7UGff7Dyi5W5k05YCPviS8TRebF4iWtfytHYcrxyJXTlYf64lhr+Oh+apvPQZWz3ujiP
         NCgvzCwLEiPBhXzOfySRrhJ8sYNoMy/l41/RSXgnqxbVyiMn3jaWTJnE7oAeo2sREft3
         nks9emueUP1GxXW+cMtB47phcB7+/yge+D+7mPqInCUtDkDT1xcyBKij6UNsK+D22xbD
         i+4A==
X-Gm-Message-State: AOJu0Yx/Emi9p4jkrdAEbo+cTG3Fze2a5k/aOuDKEFjxZ7VDlRbHn/oI
	gLj8iPO+FA5w+EePhP+wZ1TolIEnkmFtf58Z70uZ70+8xLn5hTS4R+HMxYp4YZyPsYfgFyIk48l
	FlKyjoRVQKBTyea0bR6lnCkGdxZ4BVTK8KR9TspNkX5JJfmbcX5fQGGxTmHcVtfE21n4F1BIecB
	jFhMgPbMOezhuqMw==
X-Gm-Gg: ASbGncu7p/YlJw8YfqPVpCvxsLIOFbegGeqrVRPdh5nnuR9a7NQcSJ2oa+KXRQAIhtf
	e4O14eYqKlGoaPc3v1k9vUkvIiRUjSybLeIuP5TAwUqN98kPq7itzBIQYTnGs0NWMuaVgDDdGkW
	jZyzuV7L8YI4XRDADNz/t/Skm2PEVVKWADsXoENSMj2gz6D8C+YN2/AiVCurdqZO/0NPviJRxQN
	QCA45myaxuELTW+mtrnlUgtc6zEgmoJ9cOz6eIQmefXF9vJ+8H+W2Ts+V68XdBoqUYQtATaSYYT
	UV/wCidsff2g3MOFmUgyZNps25MHL4ABYjUiR0WYKxz11KXcSX3Cd9QzoVQOW63gVw5pzVyAtMo
	iqiaoOEfn4tyjaT0L5Q+LP+LKNwQn+AVFkw8/QfuFbTXa4w2oMwTdcOUvse/ki9hPt/+4wlenRk
	kQbHw26r5qnFdJdmt6D5NrJmxQ
X-Received: by 2002:aa7:c6d7:0:b0:644:fc07:2d08 with SMTP id
 4fb4d7f45d1cf-6453962437fmr30760786a12.2.1764591861615;
        Mon, 01 Dec 2025 04:24:21 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGjhzLfnzC1QhpwNYy2/mmU1w8pIZLfn1RzCuX2/F7919eyjEsj04ZLXWi2Vg7y70ykH7tP6A==
X-Received: by 2002:aa7:c6d7:0:b0:644:fc07:2d08 with SMTP id
 4fb4d7f45d1cf-6453962437fmr30760747a12.2.1764591861218;
        Mon, 01 Dec 2025 04:24:21 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:20 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v1 3/6] seccomp: limit number of listeners in seccomp tree
Date: Mon,  1 Dec 2025 13:24:00 +0100
Message-ID: <20251201122406.105045-4-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

We need to limit number of listeners in seccomp tree to
MAX_LISTENERS_PER_PATH, because we don't want to use dynamic
memory allocations in a very hot __seccomp_filter() function
and we use preallocated static array on the stack.

Also, let's return ELOOP to userspace if it attempts to install
more than MAX_LISTENERS_PER_PATH listeners, instead of ENOMEM as
we do when userspace hits the limit of cBPF instructions.
This will make uAPI a bit more convenient.

Notice, that has_duplicate_listener() check is still in place, so this
change is a preparational.

Cc: linux-kernel@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 kernel/seccomp.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index c9a1062a53bd..ded3f6a6430b 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -931,17 +931,25 @@ static long seccomp_attach_filter(unsigned int flags,
 				  struct seccomp_filter *filter)
 {
 	unsigned long total_insns;
+	unsigned char total_listeners;
 	struct seccomp_filter *walker;
=20
 	assert_spin_locked(&current->sighand->siglock);
=20
-	/* Validate resulting filter length. */
+	/* Validate resulting filter length and number of nested listeners. */
 	total_insns =3D filter->prog->len;
-	for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev)
+	total_listeners =3D filter->notif ? 1 : 0;
+	for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev)=
 {
 		total_insns +=3D walker->prog->len + 4;  /* 4 instr penalty */
+		total_listeners +=3D walker->notif ? 1 : 0;
+	}
+
 	if (total_insns > MAX_INSNS_PER_PATH)
 		return -ENOMEM;
=20
+	if (total_listeners > MAX_LISTENERS_PER_PATH)
+		return -ELOOP;
+
 	/* If thread sync has been requested, check that it is possible. */
 	if (flags & SECCOMP_FILTER_FLAG_TSYNC) {
 		int ret;
--=20
2.43.0

From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-0.canonical.com
 (smtp-relay-internal-0.canonical.com [185.125.188.122])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35B7230E843
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.122
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591923; cv=none;
 b=O8wiQQBJnf/sg3wJzIV2xg3g0fI0bfuO/H2oX6LAU/Ph3VnoV9/m+tPD9MGrkT9uGdMjcKMO5TNAeAY0b3Tjlu+4Z11tAU/FBRlIGYSTvi1o2uNT5seGdIdGQu3Usfg8BX80HvBnhoARpjHMyYEWyAKXCVJRJ2dVkq7iKaLRVYs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591923; c=relaxed/simple;
	bh=LDa7ML3adGpxpPCTqvCDaPukE8yIEq5yWlVwR4BK1VE=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=AMAej/qCf9D2GFub3htI5kY+xRqbgCKjRLKTDlh+ksoRDb7xv40ajz6VNYDc8Kb6jQSAFTD25uwC9/Jbh9k35wYGDtcL3h9XnKIqQ6hTlf69Iddq+RRVCcPzyPnQx7Yw3LhHD5v7T7kjMCb5Hv6mtQjB/0gXvqIi+KfQwlPTT8s=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=WuGj7dC9; arc=none smtp.client-ip=185.125.188.122
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="WuGj7dC9"
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com
 [209.85.208.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8DCD63F51D
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591865;
	bh=KA/oQzzw7fbsbaclnGEMw4B3gBpT6DYefmjDeMh6oB0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=WuGj7dC93U15sAwkEIje6niN7NDpaAxCcxY//SCoC4hcwlpQJvRwLkRpRrPv1Gscj
	 vhbje3wERkgIzmBGZ2Ko53EELcLs6Aq1rIdaYaFCZKAx3BJKlG25SPbXXwAV4nlnqr
	 s43ewwMyXLb7dE6LbYVjkFZ+U+USlTVyDYQ95UJ1CC+pTF+YzxkFk1J+ZlakxVXYAQ
	 4lSmsVVmuC4tjzOC8JrjULp7gRO3nMqiaWj7z1YnTvjk/v/85ZY/ebA1XCsOt7ykOH
	 e4kFluQqZhjbYx8plpSFk1pMBjea1yaNjl2R9kDoFm+9M7EBdSOe4px+dI2lTpmzqY
	 tzztWNokXF5JJqUmBoyVKsMOFMrWgLLb+KEJwMzTsxA6fqCFKosPt0JRe9os0+m4MC
	 yIqolUGjFxFprR+KHi7r1HIOHSGtjir6VQN5eVeVb74//hGjOi/xIYBS9u2+Vw1z85
	 3k1aiiWku+s884CEiXg1qFFQiZY44mAp6E0u8zeCYwlG7rrh7IGJ+KZO5McpYpJM0h
	 vlFhGrGNksKJaMQveZRmiQ2YEXZJuWqR1KRQQ2FkfyhYj3XMAop7ASK2cpGoyUvLEe
	 yAWsGDAvT5J+jeQBfdOzpZ04i6jAYg0UsGAvY/tQFzu8jo32aWwj2bv3PibPljfcR2
	 pXm1z9Xri+ZnN3BDiYubBEuc=
Received: by mail-ed1-f72.google.com with SMTP id
 4fb4d7f45d1cf-64537824851so4072699a12.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591863; x=1765196663;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=KA/oQzzw7fbsbaclnGEMw4B3gBpT6DYefmjDeMh6oB0=;
        b=BkrUCE427pepx2m2duk2oKhyZkNUHEU/w4/sB6s2UKXgLcuzyKeQfF4id143/lmFHC
         FutT3xV7fvXBxCJXYLoBthR0BwVHAxLqeVpjSwLV+YahLZTgX6LQ6nlM7OCSmJtyM2dl
         hf1L30cY8jFCT80PVrPspIHWPNEA6oCAZp/iNmtEr6bChoupYg5nCJ5qymjZW/2ROI9K
         3TJy38QxGVTNPKJfWWgau19I9x5u3CQln4n0DYOgKKjy7ktH0uSJhGy9V6RC7B3EdBec
         YaVSQMeN+1psgwaHRrGCBu81vTvqDZYU9SjF3N1ttAAZij4u1XxxMSxIJQk0+DQRWxvR
         qEmQ==
X-Gm-Message-State: AOJu0YxPhFe2Zuk6rkhyRdGS/M5QWf/Ch6XLajp7BWaVT3rC5aTYd2rO
	i1Ii4LdiW3VVsLrGm0QL7onqgLbd6J0qdx185KhCqpBn4opWfSnDL5MjAjErRm2c69sv0MCedtG
	92luJ8kVmOb6RYwHXfe/vu7oGXTSW5/dSuFbftv/tZm04LxlgPe4LVknOvcVNMPg8E6YVWdsaV4
	bUYBUrVQ==
X-Gm-Gg: ASbGncvObgeLMEy2nff7rmV8ETQchCKLDSM6NRdwbjKqqc1X+421hCjIpSkIpbP3WqA
	qMgpZslKyYHK+ZOZrCWdG9WmdaLIQLEUcImPIgCoeTObty68UNNlO85Zh3S47EiMHvPN7R4krgM
	HI2LpBaY9XLvkVgvxpptBbumV4hF1atZPltcTm7tPAw+uZkxcQOrhqMcxrRkSZ3vh07BvurIXUC
	FOYZQMY15n4a2zrByjuA2sE5M86YVwk496XaKbLOGVnurJuYwU0wJfV2nSgmGSnfnSNKnuqnJ5B
	ukDU5OjTI25MwqCIazqjSidY70PHKwO1a+EKzbCkcQMQjQHnfY22qx0pKp2bYdFpioxcpVwv5jn
	FC4hwhuMgvybwEfCxUY14fxshOIIrmUropDPumKODSsq79GTxvCxQhHuMWBYIt3caImmsYkrDpE
	x5k7ua2Uxlz3QSD9uqHIALZsNU
X-Received: by 2002:a05:6402:26c7:b0:647:5e6c:3220 with SMTP id
 4fb4d7f45d1cf-6475e6c327emr10813615a12.21.1764591863219;
        Mon, 01 Dec 2025 04:24:23 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEWWFf3rv850wtlg8CTXlTZz3Khm2br09waaeWnLi9g1cJe/jdBlDbscwmV7NEJjypCoC8AZg==
X-Received: by 2002:a05:6402:26c7:b0:647:5e6c:3220 with SMTP id
 4fb4d7f45d1cf-6475e6c327emr10813586a12.21.1764591862846;
        Mon, 01 Dec 2025 04:24:22 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:22 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v1 4/6] seccomp: handle multiple listeners case
Date: Mon,  1 Dec 2025 13:24:01 +0100
Message-ID: <20251201122406.105045-5-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

If we have more than one listener in the tree and lower listener
wants us to continue syscall (SECCOMP_USER_NOTIF_FLAG_CONTINUE)
we must consult with upper listeners first, otherwise it is a
clear seccomp restrictions bypass scenario.

Cc: linux-kernel@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 kernel/seccomp.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index ded3f6a6430b..ad733f849e0f 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -450,6 +450,9 @@ static u32 seccomp_run_filters(const struct seccomp_dat=
a *sd,
 			ret =3D cur_ret;
 			matches->n =3D 1;
 			matches->filters[0] =3D f;
+		} else if ((ACTION_ONLY(cur_ret) =3D=3D ACTION_ONLY(ret)) &&
+			    ACTION_ONLY(cur_ret) =3D=3D SECCOMP_RET_USER_NOTIF) {
+			matches->filters[matches->n++] =3D f;
 		}
 	}
 	return ret;
@@ -1362,8 +1365,17 @@ static int __seccomp_filter(int this_syscall, const =
bool recheck_after_trace)
 		return 0;
=20
 	case SECCOMP_RET_USER_NOTIF:
-		if (seccomp_do_user_notification(match, &sd))
-			goto skip;
+		for (unsigned char i =3D 0; i < matches.n; i++) {
+			match =3D matches.filters[i];
+			/*
+			 * If userspace wants us to skip this syscall, do so.
+			 * But if userspace wants to continue syscall, we
+			 * must consult with the upper-level filters listeners
+			 * and act accordingly.
+			 */
+			if (seccomp_do_user_notification(match, &sd))
+				goto skip;
+		}
=20
 		return 0;
=20
--=20
2.43.0

From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A44630BBB9
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:25:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591913; cv=none;
 b=Fcu4GyWs3iONVkH57hpqY8PrK/lVjeN6433Ni9CaZtpeU6lvxxBVnFeWfFVkSG+RgwUjhPTkwSxH/4Jq0tNKoSYzyonhDi6t0+aplKadtm1iJ9O3kBNmVg2s8bNtpslNTA/RYgb9TWssCZeMBu8ZsI4DtoGhpQ55I6TwpeJxR4M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591913; c=relaxed/simple;
	bh=8MfDex+kidsWNd3urXjWl39OzEr3uA9ecYv97MZfhkQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=gMIkX1eUoBKmRyXJcLB1Ve4IMqcMF8p88Esj3a0Hw4BZmTnov+gdk2bGmSEmuZqfqZWYQnguIOm09AHe85holWmDaJ3WV0mJ1BeD4btn8U6dj3seJS96WBqcRwDMfJe+cK9QURBu7xxvnPg4iMFv623+NVYkTHCGxmRtSjH3PkI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=ZAcgWLGX; arc=none smtp.client-ip=185.125.188.123
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="ZAcgWLGX"
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
 [209.85.208.70])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 198EB3F2BA
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591871;
	bh=zW8+/HrAO0awxNuy3yAxkVCoMyJbpjCi4GDs+eaZJcc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=ZAcgWLGXeyrJn2wSwtmea1SvBrf8p9zSVWaIfGWMJ1PX0FVxJuudtRHDStzdEEwHU
	 oQfHwkvitseiPKbQVmAXOubulDYQpSjJo5EN1xzqlSBWTeVR/7Tom14tG3ekFqlSnc
	 8Q90oAqvfhF47J64/Ld9EopDADwMlgdVDmZXnBXZXd0UJY0+o6KXZOP0jdouKIThT+
	 75jhAldgBj1crQ9QTuTTEcnU3/CJ19vfR39XXVlyYSrp4wEwfp8HeEerE/Rk3z+Suy
	 9I2Dlchj3acPegB/8hzWfzCorgJJd0sqjXOhAr3sN69hw+hoWz+ZYScPkUN7g/ACj8
	 LkXBrZFohlALUfD8jQaBEaG+Z+eRfzvd4/YBi+OtroimkXOohCFvQgPmXGZJABQ3zy
	 ECUE7RCas2JVPsSYElEtNU72FycBRHp9i6KL5DNqU/PsXXfBncWTfhLYF13wPDKJJ/
	 i8dLlzFercmEAqHAcmLuFBCqiog3JDhkeMWaf9bcU0anu75ohm++jcJxqQyaOCwIUk
	 44i4rElGAMf8Gb5i2zXsCpADe+mXWMEFYjd88dMesD0Oc+frhlHSnOnmSJjXzPj8VY
	 ba1/FnQx3gOK7UIYJUB1yY8kMyXnp1rs7Ez27j1UpF/VnRz1Cms4YX37amCQa2/psO
	 ulJCakfXUOokepEoKgzYDENA=
Received: by mail-ed1-f70.google.com with SMTP id
 4fb4d7f45d1cf-640cdaf43aeso4819115a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591867; x=1765196667;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=zW8+/HrAO0awxNuy3yAxkVCoMyJbpjCi4GDs+eaZJcc=;
        b=fphMh0CsC9Tw4pl9A82jQiqsyR7AHz+0fhQTky8jMvtgu8IUiLULJdgXCI6NTo+Qm2
         4GODI37hLhoGoDw5ibcf1/neEHDpFTO3Sj5dudc0/yK/MO39Rhs9AdmoXQ8bzC2t3Vip
         zD9qy/24KQgGdplL88hdaVjUJl2ERyp81xla8KThK1dq00LW+GQTyAXXIHwB+/6Gq22u
         7879FxqZY6aMLuCjUQAnGobbTYBmnUm+ZELHQ0TyDD3F0beOhdgufbJaQR1m+1AceuCp
         EKbj/yGitTosDG+5jmqxX2jdifBLzZGZMNdZnEN4LzAaWxW7Eh1S34A/Ojiq2jU9U31H
         Jf0g==
X-Forwarded-Encrypted: i=1;
 AJvYcCWhQAneDuvNhpDiayvWJNvGumb/Z9BtDq8cpoJ/k1pZOSNxLEINu39/PEA6i40JXAIDls4U4hLHRVLV2ZM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzdRnQXJEtFl3grQI5zKuDCxY52mHBPUrG7aozRIVhZNFXwPc4z
	iKI6XEcF/PHnYJXCwQmf0OZo6VgJfjYYeyMA9nfMrVY1ODj0or9MZPE58dGRXFfxETLfoWXthXM
	OXUAwyT4L8Eyxym2yN+gpX44hZNHNxGhS2eDyNAkyrbIoM66qNRP4zTE9sabXXo81xpkJuKUBTV
	6rc5X/ig==
X-Gm-Gg: ASbGncu3ZTmLyoLMAYGsWhcVUxVpXVqWyjFh/yPlXHcIiMrp/4Zd5mhtckQ7DsEzlcE
	hLEsLGiil4jkZWmphjlqAFU5DtqxxIVxTOl5sU7Sd0uMaCL7n6ut6yDTJpBBZCsu2Fd+Xv05yK6
	Taclq0awFOHimAtfiz3OOLQy7MZD31/44nDfe44XB2xXCKZi0oo0X8JWPh5xde4SxZrG4rqKce/
	LkwyOluosVcRuV6wb5yML6nKtvLdVHY1qLIEaVPFHNIPmH2rfb3KZIY9b5xLYUYH7GEDVr3ZiJw
	v1iahMf7PrWCfVZl+JnzDg+LxJ7XveBOxPxdsYMWIe0whl1fbAjuw5/Aiw317qnP+xQz6/PiBbb
	DLxzfR2OxRS2pShGWSInwUAGtnV8vKtdIbMNYX8oNdLUSy3o/5VG9Ka1KkZwICAD+/nwqv/aWaM
	tvaSY/kh7t6mmdb6YNkR5SwVdd
X-Received: by 2002:a05:6402:24cc:b0:640:b814:bb81 with SMTP id
 4fb4d7f45d1cf-645546a3c11mr36462569a12.32.1764591866620;
        Mon, 01 Dec 2025 04:24:26 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGN1tIOcPrGnJFOxXrUnXoTJlFWJRG9I1z+01CVFHJKk93OfxDzmlpm1HbJF02rEwstWrU0Vw==
X-Received: by 2002:a05:6402:24cc:b0:640:b814:bb81 with SMTP id
 4fb4d7f45d1cf-645546a3c11mr36462550a12.32.1764591866178;
        Mon, 01 Dec 2025 04:24:26 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:25 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>,
	Alexander Mikhalitsyn <alexander@mihalicyn.com>
Subject: [PATCH v1 5/6] seccomp: relax has_duplicate_listeners check
Date: Mon,  1 Dec 2025 13:24:02 +0100
Message-ID: <20251201122406.105045-6-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Now everything is ready to get rid of "only one listener per tree"
limitation.

Let's introduce a new uAPI flag
SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS, so userspace may explicitly
allow nested listeners when installing a listener.

Note, that to install n-th listener, this flag must be set on all
the listeners up the tree.

Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 .../userspace-api/seccomp_filter.rst          |  6 +++++
 include/linux/seccomp.h                       |  3 ++-
 include/uapi/linux/seccomp.h                  | 13 ++++++-----
 kernel/seccomp.c                              | 22 +++++++++++++++----
 tools/include/uapi/linux/seccomp.h            | 13 ++++++-----
 5 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/Documentation/userspace-api/seccomp_filter.rst b/Documentation=
/userspace-api/seccomp_filter.rst
index cff0fa7f3175..b9633ab1ed47 100644
--- a/Documentation/userspace-api/seccomp_filter.rst
+++ b/Documentation/userspace-api/seccomp_filter.rst
@@ -210,6 +210,12 @@ notifications from both tasks will appear on the same =
filter fd. Reads and
 writes to/from a filter fd are also synchronized, so a filter fd can safely
 have many readers.
=20
+By default, only one listener within seccomp filters tree is allowed. On a=
ttempt
+to add a new listener when one already exists in the filter tree, the
+``seccomp()`` call will fail with ``-EBUSY``. To allow multiple listeners,=
 the
+``SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS`` flag can be passed in addit=
ion to
+the ``SECCOMP_FILTER_FLAG_NEW_LISTENER`` flag.
+
 The interface for a seccomp notification fd consists of two structures:
=20
 .. code-block:: c
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 9b959972bf4a..9b060946019d 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -10,7 +10,8 @@
 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
 					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
 					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \
-					 SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)
+					 SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV | \
+					 SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS)
=20
 /* sizeof() the first published struct seccomp_notif_addfd */
 #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index dbfc9b37fcae..de78d8e7a70b 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -18,13 +18,14 @@
 #define SECCOMP_GET_NOTIF_SIZES		3
=20
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC		(1UL << 0)
-#define SECCOMP_FILTER_FLAG_LOG			(1UL << 1)
-#define SECCOMP_FILTER_FLAG_SPEC_ALLOW		(1UL << 2)
-#define SECCOMP_FILTER_FLAG_NEW_LISTENER	(1UL << 3)
-#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH		(1UL << 4)
+#define SECCOMP_FILTER_FLAG_TSYNC			(1UL << 0)
+#define SECCOMP_FILTER_FLAG_LOG				(1UL << 1)
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW			(1UL << 2)
+#define SECCOMP_FILTER_FLAG_NEW_LISTENER		(1UL << 3)
+#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH			(1UL << 4)
 /* Received notifications wait in killable state (only respond to fatal si=
gnals) */
-#define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV	(1UL << 5)
+#define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV		(1UL << 5)
+#define SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS	(1UL << 6)
=20
 /*
  * All BPF programs must return a 32-bit value.
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index ad733f849e0f..348e10d403b1 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -205,6 +205,7 @@ static inline void seccomp_cache_prepare(struct seccomp=
_filter *sfilter)
  * @log: true if all actions except for SECCOMP_RET_ALLOW should be logged
  * @wait_killable_recv: Put notifying process in killable state once the
  *			notification is received by the userspace listener.
+ * @allow_nested_listeners: Allow nested seccomp listeners.
  * @prev: points to a previously installed, or inherited, filter
  * @prog: the BPF program to evaluate
  * @notif: the struct that holds all notification related information
@@ -226,6 +227,7 @@ struct seccomp_filter {
 	refcount_t users;
 	bool log;
 	bool wait_killable_recv;
+	bool allow_nested_listeners;
 	struct action_cache cache;
 	struct seccomp_filter *prev;
 	struct bpf_prog *prog;
@@ -974,6 +976,10 @@ static long seccomp_attach_filter(unsigned int flags,
 	if (flags & SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)
 		filter->wait_killable_recv =3D true;
=20
+	/* Set nested listeners allow flag, if present. */
+	if (flags & SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS)
+		filter->allow_nested_listeners =3D true;
+
 	/*
 	 * If there is an existing filter, make it the prev and don't drop its
 	 * task reference.
@@ -1955,7 +1961,8 @@ static struct file *init_listener(struct seccomp_filt=
er *filter)
 }
=20
 /*
- * Does @new_child have a listener while an ancestor also has a listener?
+ * Does @new_child have a listener while an ancestor also has a listener
+ * and hasn't allowed nesting?
  * If so, we'll want to reject this filter.
  * This only has to be tested for the current process, even in the TSYNC c=
ase,
  * because TSYNC installs @child with the same parent on all threads.
@@ -1973,7 +1980,12 @@ static bool has_duplicate_listener(struct seccomp_fi=
lter *new_child)
 		return false;
 	for (cur =3D current->seccomp.filter; cur; cur =3D cur->prev) {
 		if (cur->notif)
-			return true;
+			/*
+			 * We don't need to go up further, because if there is a
+			 * listener with nesting allowed, then all the listeners
+			 * up the tree have allowed nesting as well.
+			 */
+			return !cur->allow_nested_listeners;
 	}
=20
 	return false;
@@ -2018,10 +2030,12 @@ static long seccomp_set_mode_filter(unsigned int fl=
ags,
 		return -EINVAL;
=20
 	/*
-	 * The SECCOMP_FILTER_FLAG_WAIT_KILLABLE_SENT flag doesn't make sense
+	 * The SECCOMP_FILTER_FLAG_WAIT_KILLABLE_SENT and
+	 * SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS flags don't make sense
 	 * without the SECCOMP_FILTER_FLAG_NEW_LISTENER flag.
 	 */
-	if ((flags & SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) &&
+	if (((flags & SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) ||
+	     (flags & SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS)) &&
 	    ((flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) =3D=3D 0))
 		return -EINVAL;
=20
diff --git a/tools/include/uapi/linux/seccomp.h b/tools/include/uapi/linux/=
seccomp.h
index dbfc9b37fcae..de78d8e7a70b 100644
--- a/tools/include/uapi/linux/seccomp.h
+++ b/tools/include/uapi/linux/seccomp.h
@@ -18,13 +18,14 @@
 #define SECCOMP_GET_NOTIF_SIZES		3
=20
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC		(1UL << 0)
-#define SECCOMP_FILTER_FLAG_LOG			(1UL << 1)
-#define SECCOMP_FILTER_FLAG_SPEC_ALLOW		(1UL << 2)
-#define SECCOMP_FILTER_FLAG_NEW_LISTENER	(1UL << 3)
-#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH		(1UL << 4)
+#define SECCOMP_FILTER_FLAG_TSYNC			(1UL << 0)
+#define SECCOMP_FILTER_FLAG_LOG				(1UL << 1)
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW			(1UL << 2)
+#define SECCOMP_FILTER_FLAG_NEW_LISTENER		(1UL << 3)
+#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH			(1UL << 4)
 /* Received notifications wait in killable state (only respond to fatal si=
gnals) */
-#define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV	(1UL << 5)
+#define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV		(1UL << 5)
+#define SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS	(1UL << 6)
=20
 /*
  * All BPF programs must return a 32-bit value.
--=20
2.43.0

From nobody Mon Dec  1 21:33:25 2025
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0791430BF78
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764591878; cv=none;
 b=N2ZOyUJZ/4g5YcwybkCbcL1prc25ciRF9m8taSWWgEGDGoE4CMUoEgDEI5N3ZX/SkW7Caojc3I2e7a+tipN8irwOuRCJnkxhIAfz7mZgEOrFZOLlCvvzvLDV2KOtOYhD1wn/W4k/fT8HRe1E9kwNwMrSb/4Bzo1R4/P2t0Syb3U=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764591878; c=relaxed/simple;
	bh=Egmsxd6WhuG+1aHGJA9zA7ap31AaU5FP48jyqfW36E4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=W/0gEm5YOeP9493K+0m7PaYUzprgQ3wC30sJGh8q8tkzkhWL/jiQicwJJ3ZqbcaEh72LTOtW0G9mU3Uvb4LgBV+DLWWBP83KFzVSOiImF670RU4U4Ma+bgPYF3n/pEbx71iaIhr75dQOgG3PsuC8cGoL0gMkFf7nHrbHJxdu9dE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=BqfEk6CM; arc=none smtp.client-ip=185.125.188.123
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="BqfEk6CM"
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 563C53F2EF
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 12:24:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1764591873;
	bh=jXkgsidXiBaEN+Xes2JcR3minQELMlukrfJCybCFbvk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=BqfEk6CMt6hTFO4CFIKt5G9iJLJKJtI84QQwa9rN7P4lGSg9UpGbiN2KTeB8ufvyg
	 heEja8gOv8MMV7/ObLWYluvWl3iu8bzzycGBjVcgwWJZf2S2/E1xtTM6B+XLoTXidX
	 E/9fdKWBTlK1blRRc7p09GrjdvnoFbvSEHY6VM9cJ5/AjITyKE1XnU+ADgDUQ00AcS
	 RVXKdXn2fXppY96OrVjLBOGx1DO+aN4yQerroP6rwbUMtl/PKhU6NPFB0LLwRQIYYs
	 alK3vDjhgEtjQFPGhN8k+IpwhTSBwHfE7Ja1RjKKAJRQPhDQg252FqreGsbSnWGU2d
	 adIcvM+Z1wedy3H5Rs68zDTIJHhm4PHDFqzBbaPKkYR9LXZLBrWH0kFsQ/GnMcpu0a
	 Fr3RvmymRlC3jV+n3aR9PtwDg1QN0AwVXzfp2af5qft+kiC5k6nR1ru3T7P2Ku54QI
	 Zf+kzFCwD6OySHNRG/FAz4baRF1uh5usvIOn7yDu6LYQoU0JCGNmbhHWFha2YQKrth
	 eQfa4z5ZitCWDSpLnEsQZ4MDInOeoEhJalQRPJGgrnwPUIHu/Q5iSx8gHmrpscFrPm
	 jhlDmaN14NBNtEswNjlAW9ppgurMxO959NtuBpjjsoNRiX9rMIvr4Ry2VylKZ9EDzH
	 EeQzgZPRE+H1ZiZfREH1eDVc=
Received: by mail-ed1-f69.google.com with SMTP id
 4fb4d7f45d1cf-6409849320cso9220356a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 04:24:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764591869; x=1765196669;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=jXkgsidXiBaEN+Xes2JcR3minQELMlukrfJCybCFbvk=;
        b=ne9VunQ8vWC1a5RjhNlrvAMzK+mYwYoNXDb3zC809B9R994Ks5F9aWVbX2a312oq/s
         p5GuV8CwONfNC6qm/zosM0vY5Zo7QiayvkL1WfVLyYsB7mUQu4CLfdqY1OPmt9QkQkqy
         rWOEtKIuHcBZaVLludsrWtPRLNA3QpZ44U0HqVXniQxRP3ai9EovD9kh3gzT+x+rU0Fs
         K8NMLKT1cvwmsyZLJMSv+18k/VVLoqa2trL4BMOSo/rIdZpKkjsPw+u9FZvnTtAd/aYj
         0DyyCFxU36GsWDYCPI9FLE2OgbP+L+0EufbkMiJJTITGX8ZWimDLsQFvUEhC30yCY6yO
         RBsA==
X-Gm-Message-State: AOJu0YwehfanlCncpJ6BoU0jmiZlPLV8LKnYB86Yyo8izwPgm87Ih8rp
	jR8pXohbaJifWUcPaJG0P0QEaj3Out2/JHyI3pI1pBdXHlATwFu9jfFkRQkYPfKqJp6QMGViVus
	QxHRHnqcY98Zc+9l1H16xppeLZVhYYSmKeGCSNO1zZhnyQszJS6qRPQ8xp1ESmy6ykNLH9K8bR+
	PmwNHhzQ==
X-Gm-Gg: ASbGncst8sadFCfA82G1S+2C7vPlR0pJuM7yCWo38rWp29HtIXAsAuE0ALLHlzLoahF
	18559lM8fcwkJgFNpI9fZLKBCe7q3V7iXeUCgS0OsZS/azBSa63LqxfAfIBMaeSTrmHqWRnPeel
	qFdaWaCj6VtD4KTB0vPgG29w+hGoPTX40OYSiICxhT6P9ZjJri47p7cMwKWARe5ZSk6Aj33/XTX
	4rISKeotb/7+ZYEmtN2f//w8pbzjxdcsQd+fykNPwSEvCLVGQOWfWqGd9Evs/TCeEPPJMgUcjQ7
	VAWs5YBquET75PTegXEn0Iwmy3j3dDpHlSUYh+NufHeICp3k4cyeDUSTvobJtsm+1c+4wWs8AA2
	UeXcUXmaDVQ1jY8QIhtEGZxyIcJJvXrUdGJxmMTdlwGsHrY0RgBa/Dzr/bmLmtyimm0xO+XptZ6
	OPrEwNor+6tiboF0Hna8iCA5dz
X-Received: by 2002:a05:6402:1d99:b0:641:9fdf:db43 with SMTP id
 4fb4d7f45d1cf-6453962404bmr25196725a12.1.1764591868639;
        Mon, 01 Dec 2025 04:24:28 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IEdhwkAnp1agnhNL0XBFl1gCYXlLEElnXUghnsShlPPM9wQcvadSq0QTq7MjxtDqhOFO0U7dQ==
X-Received: by 2002:a05:6402:1d99:b0:641:9fdf:db43 with SMTP id
 4fb4d7f45d1cf-6453962404bmr25196706a12.1.1764591868199;
        Mon, 01 Dec 2025 04:24:28 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de.
 [2003:cf:5749:de00:7c66:abd9:5f8b:deba])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 04:24:27 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	bpf@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v1 6/6] tools/testing/selftests/seccomp: test nested listeners
Date: Mon,  1 Dec 2025 13:24:03 +0100
Message-ID: <20251201122406.105045-7-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Add some basic tests for nested listeners.

Cc: linux-kernel@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 tools/testing/selftests/seccomp/seccomp_bpf.c | 162 ++++++++++++++++++
 1 file changed, 162 insertions(+)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/=
selftests/seccomp/seccomp_bpf.c
index fc4910d35342..0bf02d04fe15 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -293,6 +293,10 @@ struct seccomp_notif_addfd_big {
 #define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (1UL << 5)
 #endif
=20
+#ifndef SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS
+#define SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS (1UL << 6)
+#endif
+
 #ifndef seccomp
 int seccomp(unsigned int op, unsigned int flags, void *args)
 {
@@ -4408,6 +4412,164 @@ TEST(user_notification_sync)
 	ASSERT_EQ(status, 0);
 }
=20
+/* from kernel/seccomp.c */
+#define MAX_LISTENERS_PER_PATH 8
+
+TEST(user_notification_nested_limits)
+{
+	pid_t pid;
+	long ret;
+	int i, status, listeners[MAX_LISTENERS_PER_PATH];
+
+	struct sock_filter filter[] =3D {
+		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+	};
+	struct sock_fprog prog =3D {
+		.len =3D (unsigned short)ARRAY_SIZE(filter),
+		.filter =3D filter,
+	};
+
+	ret =3D prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	ASSERT_EQ(0, ret) {
+		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+	}
+
+	/* Install 6 levels of listeners and allow nesting. */
+	for (i =3D 0; i < 6; i++) {
+		listeners[i] =3D user_notif_syscall(__NR_getppid,
+						  SECCOMP_FILTER_FLAG_NEW_LISTENER |
+						  SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS);
+		ASSERT_GE(listeners[i], 0);
+
+		/* Add some no-op filters for grins. */
+		EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
+	}
+
+	/* Check behavior when nesting is not allowed. */
+	pid =3D fork();
+	ASSERT_GE(pid, 0);
+	if (pid =3D=3D 0) {
+		/* Install a next listener in the chain without nesting allowed. */
+		listeners[6] =3D user_notif_syscall(__NR_getppid,
+						 SECCOMP_FILTER_FLAG_NEW_LISTENER);
+		if (listeners[6] < 0)
+			exit(1);
+
+		/* Add some no-op filters for grins. */
+		ret =3D seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
+		if (ret !=3D 0)
+			exit(2);
+
+		ret =3D user_notif_syscall(__NR_getppid,
+					 SECCOMP_FILTER_FLAG_NEW_LISTENER);
+		/* Installing a next listener in the chain should result in EBUSY. */
+		exit((ret >=3D 0 || errno !=3D EBUSY) ? 3 : 0);
+	}
+
+	EXPECT_EQ(waitpid(pid, &status, 0), pid);
+	EXPECT_EQ(true, WIFEXITED(status));
+	EXPECT_EQ(0, WEXITSTATUS(status));
+
+	/* Install more filters with listeners to reach nesting levels limit. */
+	for (; i < MAX_LISTENERS_PER_PATH; i++) {
+		listeners[i] =3D user_notif_syscall(__NR_getppid,
+						  SECCOMP_FILTER_FLAG_NEW_LISTENER |
+						  SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS);
+		ASSERT_GE(listeners[i], 0);
+
+		/* Add some no-op filters for grins. */
+		EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
+	}
+
+	/* Installing a next listener in the chain should result in ELOOP. */
+	EXPECT_EQ(user_notif_syscall(__NR_getppid,
+				     SECCOMP_FILTER_FLAG_NEW_LISTENER),
+		  -1);
+	EXPECT_EQ(errno, ELOOP);
+}
+
+TEST(user_notification_nested)
+{
+	pid_t pid;
+	long ret;
+	int i, status, listeners[6];
+	struct seccomp_notif req =3D {};
+	struct seccomp_notif_resp resp =3D {};
+
+	struct sock_filter filter[] =3D {
+		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+	};
+	struct sock_fprog prog =3D {
+		.len =3D (unsigned short)ARRAY_SIZE(filter),
+		.filter =3D filter,
+	};
+
+	ret =3D prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	ASSERT_EQ(0, ret) {
+		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+	}
+
+	/* Install 6 levels of listeners and allow nesting. */
+	for (i =3D 0; i < 6; i++) {
+		listeners[i] =3D user_notif_syscall(__NR_getppid,
+						  SECCOMP_FILTER_FLAG_NEW_LISTENER |
+						  SECCOMP_FILTER_FLAG_ALLOW_NESTED_LISTENERS);
+		ASSERT_GE(listeners[i], 0);
+
+		/* Add some no-op filters for grins. */
+		EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
+	}
+
+	pid =3D fork();
+	ASSERT_GE(pid, 0);
+
+	if (pid =3D=3D 0) {
+		ret =3D syscall(__NR_getppid);
+		exit(ret !=3D (USER_NOTIF_MAGIC-3));
+	}
+
+	/*
+	 * We want to have the following picture:
+	 *
+	 * | Listener level (i) | Listener decision |
+	 * |--------------------|-------------------|
+	 * |	     0		|      WHATEVER     |
+	 * |	     1		|      WHATEVER     |
+	 * |	     2		|      WHATEVER     |
+	 * |	     3		|       RETURN      | <-- stop here
+	 * |	     4		|  CONTINUE SYSCALL |
+	 * |	     5		|  CONTINUE SYSCALL | <- start here (current->seccomp.filter)
+	 *
+	 * First listener who receives a notification is level 5, then 4,
+	 * then we expect to stop on level 3 and return from syscall with
+	 * (USER_NOTIF_MAGIC - 3) return value.
+	 */
+	for (i =3D 6 - 1; i >=3D 3; i--) {
+		memset(&req, 0, sizeof(req));
+		EXPECT_EQ(ioctl(listeners[i], SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
+		EXPECT_EQ(req.pid, pid);
+		EXPECT_EQ(req.data.nr,  __NR_getppid);
+
+		memset(&resp, 0, sizeof(resp));
+		resp.id =3D req.id;
+
+		if (i =3D=3D 5 || i =3D=3D 4) {
+			resp.flags =3D SECCOMP_USER_NOTIF_FLAG_CONTINUE;
+		} else {
+			resp.error =3D 0;
+			resp.val =3D USER_NOTIF_MAGIC - i;
+		}
+
+		EXPECT_EQ(ioctl(listeners[i], SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
+	}
+
+	EXPECT_EQ(waitpid(pid, &status, 0), pid);
+	EXPECT_EQ(true, WIFEXITED(status));
+	EXPECT_EQ(0, WEXITSTATUS(status));
+
+	for (i =3D 0; i < 6; i++)
+		close(listeners[i]);
+}
=20
 /* Make sure PTRACE_O_SUSPEND_SECCOMP requires CAP_SYS_ADMIN. */
 FIXTURE(O_SUSPEND_SECCOMP) {
--=20
2.43.0