Hi,
On Tue, Nov 14, 2017 at 07:00:19PM -0700, Tycho Andersen wrote:
> With the new SECCOMP_FILTER_FLAG_LOG, we need to be able to extract these
> flags for checkpoint restore, since they describe the state of a filter.
>
> So, let's add PTRACE_SECCOMP_GET_METADATA, similar to ..._GET_FILTER, which
> returns the metadata of the nth filter (right now, just the flags).
> Hopefully this will be future proof, and new per-filter metadata can be
> added to this struct.
>
> v3: * use GET_METADATA instead of GET_FLAGS
> v4: * resend
>
> Signed-off-by: Tycho Andersen <tycho@xxxxxxxx>
> CC: Kees Cook <keescook@xxxxxxxxxxxx>
> CC: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> CC: Oleg Nesterov <oleg@xxxxxxxxxx>
[...]
> diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
> index e3939e00980b..e46d82b91166 100644
> --- a/include/uapi/linux/ptrace.h
> +++ b/include/uapi/linux/ptrace.h
> @@ -66,6 +66,12 @@ struct ptrace_peeksiginfo_args {
> #define PTRACE_SETSIGMASK 0x420b
>
> #define PTRACE_SECCOMP_GET_FILTER 0x420c
> +#define PTRACE_SECCOMP_GET_METADATA 0x420d
> +
> +struct seccomp_metadata {
> + unsigned long filter_off; /* Input: which filter */
> + unsigned int flags; /* Output: filter's flags */
> +};
This "unsigned long" field is unacceptable unless you are willing
to implement a compat layer for this arch-dependent type.
Please use an arch-independent type instead.
See e.g. struct ptrace_peeksiginfo_args or struct struct seccomp_data.
--
ldv
Attachment:
signature.asc
Description: PGP signature
