From nobody Tue Feb 10 04:15:55 2026
Received: from smtp-relay-internal-1.canonical.com
 (smtp-relay-internal-1.canonical.com [185.125.188.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30DC5311C13
	for <linux-kernel@vger.kernel.org>; Thu, 11 Dec 2025 12:46:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.125.188.123
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765457216; cv=none;
 b=HdN16XX8i4rjFjHHAHgdi1c5i/Qv8ASAl3q3pmZQrjbeN47cthiDZvQ2NGNVFIJePLSh0kIxuN7ppnu62+ZDtHCMyXB0bu9TClmbfYLWnidyzSL6n7vszrRuLmvww3Z/7C/sK6TvV5Mt00+LqAGbx38vkWeSaghMHX87yAw2f+c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765457216; c=relaxed/simple;
	bh=KlnlyD3GULaarSpQawO7uLrMOMtNq2Im5xzf3rc9j7Q=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=f+EJpFaTAU10VMauGd/2Q9OpWFJzsBPaEFsFjcxn924FwtIh1VCmJ5mSSFSqj10RDKHUT5FNfKrdg/b/jPwSLux6BKa/k6ikkdzdmc90DwSgdBELRpNKQaW3/MKEQZVajNVrE6YvACG3XwbUJdiAu4nj7H8AzDDSd1m43+lqkv8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com;
 spf=pass smtp.mailfrom=canonical.com;
 dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b=WUlOXpqz; arc=none smtp.client-ip=185.125.188.123
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=canonical.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com
 header.b="WUlOXpqz"
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E7C153F7C5
	for <linux-kernel@vger.kernel.org>; Thu, 11 Dec 2025 12:46:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1765457195;
	bh=I5FQi0ANvMyxYUi59ipfg7QnXBeGhk5Egxi4bOQoBQI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
	b=WUlOXpqz1FpZoNQyjbeds5JsACHxfzEHieL3rcLo7Vsefv1AJOoknhL83qg9zPTaI
	 yb2BUeo1W40jdb8g+zm4lglK71s54TSpnVx9/LFj5lpj+KzT62DjkG9E1cC/2tAUC6
	 /zWnqnGUMzV6Ro598UikkGjhYToZg5dARyfKNN/tdOLxo2SOFV0txq6sNXWGm6jxwg
	 npWz+FSX/LWI22VatoG+xgzk4o8Z1bpKWeo+Nteobzqng0sTMmoR3xwWwxiMZ+AhBE
	 V2IRe3JS3R95n/GMarHssqp6MT405gWWwR2S6Uwuji2AGT41NdFcxkFPe4lf9sznSd
	 cJBcHQfH7/w6hzYMUDdAsTC6yieN/hVJfagtq8P+i9i9DvZ6nugUdcm3XreN3TeSii
	 ZT2cfFSENTQOPXUTrb3EXoc0xqUpSMOXFM9DHT9xFZbjpPgpD6lZEO+aKmfbq0p2u9
	 z4O9id/Z8eWgU8C555DESalVFrWo/onm5I3LbuNFm6iVCNkZjdVxU3DHngUOU6a9AY
	 HVossvJdnomNjW2oP3UDJ0rhmkS1gN1pvKcesy2NGoGiBWhVvnt9LTNIvPVQ5+QzFv
	 HQvysdsclcsHG657EHa3YWSZo+J9oo4pLDw/ixnPEUaV9ThzUP3iJlOyoGqZCI83ja
	 ZTYexyRga/izmV3P1l4Va5rQ=
Received: by mail-wm1-f69.google.com with SMTP id
 5b1f17b1804b1-477a11d9e67so233365e9.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 Dec 2025 04:46:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765457195; x=1766061995;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=I5FQi0ANvMyxYUi59ipfg7QnXBeGhk5Egxi4bOQoBQI=;
        b=iZLdGeCLgwuslO1WMPZ/v5JSsU/rotcdN+QZCIwaye4kFGZmwpJL7ZxIrZP6ue2VSR
         kq2SGka2p+bIoNTHsz8lWS0kzzZH0nIlhJ0zrt1qXNkfpgo9G7Aw+SCWWW0c8QIxwrVf
         sLpwg7D55ZjczWBgtXlc2OLCsk9LnX7ifHDznvQ+j70/FXb0CbEIroPQgZ3zaD12hi+u
         18bgQTEoYGMZwokEBLOqBdNxc/d/Hr5EQ2kJHr7Lc8b9imo2a0fq75B7/9tqwLbe4peJ
         6iHcTG5gT9Wdcept9kXZ0UyDTrh0KP7qGYaO96Iy7WNDjq9TdAO45eYJ0SAtUmAQrP5E
         umrg==
X-Forwarded-Encrypted: i=1;
 AJvYcCU6mpBGTLyyqiOnyhD4GawQ4yZFtWesvLA/uha7Cav4zv0cTP00rU8mnfHdth1dNoEOgqQecPfsTqvkeFY=@vger.kernel.org
X-Gm-Message-State: AOJu0YzN1htI09gs/9V4noeRo1QonXugSuZnER/H/mGZ1j0AoWb78JLw
	TprU01bgW5m39z1Z0zf0xjPPmc4LBrhM+eBgQ9E0B0Y+cpXAns0g5oi1NO2825+up3ahaZgfsJI
	LO+2NF11nKoRVPi5EsGS6giTYKNSI6eQGcshc2boJrfJZXU6ktsyi17UccCpYXsFpKsFYnZMp0W
	wuBQBUfg==
X-Gm-Gg: AY/fxX4N2F3zzx69I7kM5Pj40sPfSoM/XnCQDptdVWqwo+4qD4d/BVMPU3fRknujyHA
	J33VRLaoNNzzqs6YNeqLbWC/imbfZ8hpehp5v65xKJHh/cVow+3dBs7su2d32lRwEVE54mJMyO7
	XNrpGjIMk0bndWr/a1PtMbYz8E5nw14T/dLOTvbnoQxih87EjDbppZpzXphLokDV+Ricg0UC1EA
	JAfxjQzAvlyxkk8b+/tsuuGbyZx+zDnTvndnnTMwxwbM9CMlo+NRxNvRM+hn4qRAZu1P3Yc/u+7
	rCJmEVc0Lz7p9bhA/BgxjFfIq6Yie9xQdJi9KrtwueH7zW+JVvvH3FZdsUiIKcakZ4jPgYrHu54
	ggyzaTCHWJckslDT1KPsFYDzSrJvkvshSFOJtBDLw4Ohvkolv0Rex5GVbMpLQg41K7lMsmi3d0D
	YW+g95kX7o8m8qQwcjy9YHMOs=
X-Received: by 2002:a05:600c:b8a:b0:477:8b2e:aa7d with SMTP id
 5b1f17b1804b1-47a83847b05mr64907235e9.30.1765457195239;
        Thu, 11 Dec 2025 04:46:35 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE04Bu9T9811Vk3v7Uu4T4rO8U+ertcr5E4wLm6pw5TUxW8Cj3giRIH0Ltz2lCx55IZNIR5JA==
X-Received: by 2002:a05:600c:b8a:b0:477:8b2e:aa7d with SMTP id
 5b1f17b1804b1-47a83847b05mr64906845e9.30.1765457194787;
        Thu, 11 Dec 2025 04:46:34 -0800 (PST)
Received: from amikhalitsyn.lan
 (p200300cf57022000e6219d5798620e30.dip0.t-ipconnect.de.
 [2003:cf:5702:2000:e621:9d57:9862:e30])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-47a89f0d6f2sm32075905e9.13.2025.12.11.04.46.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Dec 2025 04:46:34 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: kees@kernel.org
Cc: linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <shuah@kernel.org>,
	Aleksa Sarai <cyphar@cyphar.com>,
	Tycho Andersen <tycho@tycho.pizza>,
	Andrei Vagin <avagin@gmail.com>,
	Christian Brauner <brauner@kernel.org>,
	=?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>,
	Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Subject: [PATCH v3 4/7] seccomp: mark first listener in the tree
Date: Thu, 11 Dec 2025 13:46:08 +0100
Message-ID: <20251211124614.161900-5-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251211124614.161900-1-aleksandr.mikhalitsyn@canonical.com>
References: <20251211124614.161900-1-aleksandr.mikhalitsyn@canonical.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Let's note if listener was a first one installed in the seccomp
filters tree. We will need this information to retain old
quirk behavior (as before seccomp nesting introduced).

Also, rename has_duplicate_listener() to check_duplicate_listener(),
cause now this function is not read-only, but also modifies a state
of a new_child seccomp_filter.

No functional change intended at this point.

Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Tycho Andersen <tycho@tycho.pizza>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: St=C3=A9phane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 kernel/seccomp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 89ae81f06743..1a139f9ef39b 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -205,6 +205,7 @@ static inline void seccomp_cache_prepare(struct seccomp=
_filter *sfilter)
  * @log: true if all actions except for SECCOMP_RET_ALLOW should be logged
  * @wait_killable_recv: Put notifying process in killable state once the
  *			notification is received by the userspace listener.
+ * @first_listener: true if this is the first seccomp listener installed i=
n the tree.
  * @prev: points to a previously installed, or inherited, filter
  * @prog: the BPF program to evaluate
  * @notif: the struct that holds all notification related information
@@ -226,6 +227,7 @@ struct seccomp_filter {
 	refcount_t users;
 	bool log : 1;
 	bool wait_killable_recv : 1;
+	bool first_listener : 1;
 	struct action_cache cache;
 	struct seccomp_filter *prev;
 	struct bpf_prog *prog;
@@ -1939,7 +1941,7 @@ static struct file *init_listener(struct seccomp_filt=
er *filter)
  * Note that @new_child is not hooked up to its parent at this point yet, =
so
  * we use current->seccomp.filter.
  */
-static bool has_duplicate_listener(struct seccomp_filter *new_child)
+static bool check_duplicate_listener(struct seccomp_filter *new_child)
 {
 	struct seccomp_filter *cur;
=20
@@ -1953,6 +1955,8 @@ static bool has_duplicate_listener(struct seccomp_fil=
ter *new_child)
 			return true;
 	}
=20
+	/* Mark first listener in the tree. */
+	new_child->first_listener =3D true;
 	return false;
 }
=20
@@ -2035,7 +2039,7 @@ static long seccomp_set_mode_filter(unsigned int flag=
s,
 	if (!seccomp_may_assign_mode(seccomp_mode))
 		goto out;
=20
-	if (has_duplicate_listener(prepared)) {
+	if (check_duplicate_listener(prepared)) {
 		ret =3D -EBUSY;
 		goto out;
 	}
--=20
2.43.0