Hi, Kees: On Fri, Nov 3, 2023 at 3:49 AM Kees Cook <kees@xxxxxxxxxx> wrote: > > > > On October 30, 2023 6:24:02 PM PDT, Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote: > >This adds minimal support for seccomp eBPF programs > >which can be hooked into the existing seccomp framework. > >This allows users to write seccomp filter in eBPF language > >and enables seccomp filter reuse through bpf prog fd and > >bpffs. Currently, no helper calls are allowed just like > >its cBPF version. > > I think this is bypassing the seccomp bitmap generation pass, so this will break (at least) performance. > What if we did the same for eBPF, a bit harder though, does that address your concerns ? > I continue to prefer sticking to only cBPF for seccomp, so let's just use the seccomp syscall to generate the fds. > That's an alternative. But as Alexei said, there would be no more bpffs things. AFAIK, we could only share the filter via UDS. > -Kees > > -- > Kees Cook
