On Thu, Nov 2, 2023 at 12:49 PM Kees Cook <kees@xxxxxxxxxx> wrote: > > > > On October 30, 2023 6:24:02 PM PDT, Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote: > >This adds minimal support for seccomp eBPF programs > >which can be hooked into the existing seccomp framework. > >This allows users to write seccomp filter in eBPF language > >and enables seccomp filter reuse through bpf prog fd and > >bpffs. Currently, no helper calls are allowed just like > >its cBPF version. > > I think this is bypassing the seccomp bitmap generation pass, so this will break (at least) performance. > > I continue to prefer sticking to only cBPF for seccomp, so let's just use the seccomp syscall to generate the fds. That's fine, but let's not mix old things with bpffs, bpftool, etc. If you want an anon_fd then go ahead and allocate it standalone. It shouldn't be confused with eBPF fd-s. No bpffs treatment and no bpftool visibility.
