On Mon, May 18, 2020 at 02:04:57PM -0700, Kees Cook wrote: > Hi! > > This is my attempt at a brain-dump on my plans for nearish-term seccomp > features. Welcome to my TED talk... ;) > > These are the things I've been thinking about: > > - fd passing > - deep argument inspection > - changing structure sizes > - syscall bitmasks > What's your take on enabling multiple filters with listeners being attached, so that different seccomp interceptors can operate together. I'm wondering how this would work. One idea that I had is adding a new flag to the seccomp filter installation -- something like NEXT_FILTER_COMPATIBLE. When a filter is installed with a listener, it will check if all previous filters were instaled with NEXT_FILTER_COMPATIBLE. If the call is intercepted by a listener, and the return is overriden, then it short-circuits, and the subsequent filters are not evaluated. On the other hand, if the continue response is send, then the subsequent filters are called. What do you think?
