On Thu, May 9, 2019 at 4:30 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > I'm not sure how that can work. seccomp's prctl accepts a list of insns. > There is no handle. > kernel can keep a hashtable of all progs ever loaded and do a search > in it before loading another one, but that's an ugly hack. > Another alternative is to attach seccomp prog to parent task > instead of N childrens. seccomp's filter is already shared by all the children of whatever process got the filter attached. -- Kees Cook
