On November 2, 2023 12:53:56 PM PDT, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: >On Thu, Nov 2, 2023 at 12:49 PM Kees Cook <kees@xxxxxxxxxx> wrote: >> >> >> >> On October 30, 2023 6:24:02 PM PDT, Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote: >> >This adds minimal support for seccomp eBPF programs >> >which can be hooked into the existing seccomp framework. >> >This allows users to write seccomp filter in eBPF language >> >and enables seccomp filter reuse through bpf prog fd and >> >bpffs. Currently, no helper calls are allowed just like >> >its cBPF version. >> >> I think this is bypassing the seccomp bitmap generation pass, so this will break (at least) performance. >> >> I continue to prefer sticking to only cBPF for seccomp, so let's just use the seccomp syscall to generate the fds. > >That's fine, but let's not mix old things with bpffs, bpftool, etc. >If you want an anon_fd then go ahead and allocate it standalone. >It shouldn't be confused with eBPF fd-s. >No bpffs treatment and no bpftool visibility. Agreed. Let's just emit an anon_fd from the seccomp syscall. -- Kees Cook
