On Fri, Oct 2, 2015 at 3:57 PM, Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote: > On 10/03/2015 12:44 AM, Tycho Andersen wrote: >> >> On Fri, Oct 02, 2015 at 02:10:24PM -0700, Kees Cook wrote: > > ... >> >> Ok, how about, >> >> struct sock_filter insns[BPF_MAXINSNS]; >> insn_cnt = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, insns, i); > > > Would also be good that when the storage buffer (insns) is NULL, > it just returns you the number of sock_filter insns (or 0 when > nothing attached). > > That would be consistent with classic socket filters (see > sk_get_filter()), and user space could allocate a specific > size instead of always passing in max insns. Yes please. :) >> when asking for the ith filter? It returns either the number of >> instructions, -EINVAL if something was wrong (i, pid, >> CONFIG_CHECKPOINT_RESTORE isn't enabled). While it would always >> succeed now, if/when the underlying filter was not created from a bpf >> classic filter, we can return -EMEDIUMTYPE? (Suggestions welcome, I >> picked this mostly based on what sounds nice.) We can bikeshed the non-classic case when we need it, but I think EINVAL is "not under seccomp", and ENOENT is "no such index". -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
