CHROMIUM: seccomp_filter: remove "skip" from copy and add drop helper

seccomp_filters_copy() had a skip argument because it used to use a
preallocated array of filters.  Using skip made it easier to drop entries
without reorganizing them prior to copy.  The new use of btrees gets rid of
this complexity and allows a drop to be done relatively painlessly just after
the copy (when needed).

Signed-off-by: Will Drewry <wad@chromium.org>

BUG=chromium-os:14496
TEST=see dep cl

Change-Id: I0dc19998eb1b0463125e7f53f2f1e441246a0d90
Reviewed-on: http://gerrit.chromium.org/gerrit/6326
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>

diff --git a/kernel/seccomp_filter.c b/kernel/seccomp_filter.c
index cfb90ab..00a081e 100644 (file)
--- a/kernel/seccomp_filter.c
+++ b/kernel/seccomp_filter.c
@@ -371,6 +371,12 @@ fail:
        return ERR_PTR(err);
 }
 
+static void seccomp_filters_drop(struct seccomp_filters *filters, int nr)
+{
+       struct event_filter *filter = btree_remove32(&filters->tree, nr);
+       free_event_filter(filter);
+}
+
 /**
  * seccomp_filters_copy - copies filters from src to dst.
  *
@@ -384,8 +390,7 @@ fail:
  * If @skip is < 0, it is ignored.
  */
 static int seccomp_filters_copy(struct seccomp_filters *dst,
-                               struct seccomp_filters *src,
-                               int skip)
+                               struct seccomp_filters *src)
 {
        int ret = 0, nr;
        struct event_filter *ef;
@@ -393,8 +398,6 @@ static int seccomp_filters_copy(struct seccomp_filters *dst,
 
        btree_for_each_safe32(&src->tree, nr, ef) {
                struct event_filter *filter = ALLOW_FILTER;
-               if (nr == skip)
-                       continue;
                if (!IS_ALLOW_FILTER(ef)) {
                        filter = alloc_event_filter(nr, get_filter_string(ef));
                        if (IS_ERR(filter)) {
@@ -790,9 +793,10 @@ long seccomp_clear_filter(int syscall_nr)
        }
 
        /* Copy, but drop the requested entry. */
-       ret = seccomp_filters_copy(filters, orig_filters, syscall_nr);
+       ret = seccomp_filters_copy(filters, orig_filters);
        if (ret)
                goto out;
+       seccomp_filters_drop(filters, syscall_nr);
        get_seccomp_filters(filters);  /* simplify the out: path */
 
        current->seccomp.filters = filters;
@@ -859,7 +863,7 @@ long seccomp_set_filter(int syscall_nr, char *filter)
 
        filters_set_compat(filters);
        if (orig_filters) {
-               ret = seccomp_filters_copy(filters, orig_filters, -1);
+               ret = seccomp_filters_copy(filters, orig_filters);
                if (ret)
                        goto out;
        }