On Fri, Nov 3, 2023 at 1:46 PM Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote: > > Hi, Kees: > > On Fri, Nov 3, 2023 at 3:49 AM Kees Cook <kees@xxxxxxxxxx> wrote: > > > > > > > > On October 30, 2023 6:24:02 PM PDT, Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote: > > >This adds minimal support for seccomp eBPF programs > > >which can be hooked into the existing seccomp framework. > > >This allows users to write seccomp filter in eBPF language > > >and enables seccomp filter reuse through bpf prog fd and > > >bpffs. Currently, no helper calls are allowed just like > > >its cBPF version. > > > > I think this is bypassing the seccomp bitmap generation pass, so this will break (at least) performance. > > > > What if we did the same for eBPF, a bit harder though, does that > address your concerns ? > > > I continue to prefer sticking to only cBPF for seccomp, so let's just use the seccomp syscall to generate the fds. > > > > That's an alternative. But as Alexei said, there would be no more bpffs things. > AFAIK, we could only share the filter via UDS. > Just take a deeper look, there are too many registers/instructions/states in eBPF, stick to cBPF would be easier for now. > > -Kees > > > > -- > > Kees Cook
