On Mon, Sep 19, 2016 at 01:13:27PM -0700, Alexei Starovoitov wrote: > On Mon, Sep 19, 2016 at 09:19:10PM +0200, Pablo Neira Ayuso wrote: [...] > > 2) This will turn the stack into a nightmare to debug I predict. If > > any process with CAP_NET_ADMIN can potentially attach bpf blobs > > via these hooks, we will have to include in the network stack > > a process without CAP_NET_ADMIN can attach bpf blobs to > system calls via seccomp. bpf is already used for security and policing. That is a local mechanism, it applies to parent process and child processes, just like SO_ATTACH_FILTER. The usecase that we're discussing here enforces a global policy. -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
