On Tue, Jul 30, 2019 at 10:49 AM Baojun Wang <wangbj@xxxxxxxxx> wrote: > > This patch add a new flag *SECCOMP_FILTER_FLAG_CLOEXEC* > > (CLOEXEC, 1 << 4ul) to seccomp syscall. When the flag is set, filter One problem here is that you're removing all filters installed after the CLOEXEC one, too. That's no good. I suppose you could prevent loading of non-CLOEXEC filters if any are CLOEXEC. The naming of CLOEXEC is no good, too. But you haven't really justified this very well. What are you doing that involves filtering on PC, and how is it secure at all?
