On 07/10, Kees Cook wrote: > > This adds the ability for threads to request seccomp filter > synchronization across their thread group (at filter attach time). > For example, for Chrome to make sure graphic driver threads are fully > confined after seccomp filters have been attached. > > To support this, locking on seccomp changes via thread-group-shared > sighand lock is introduced, along with refactoring of no_new_privs. Races > with thread creation are handled via delayed duplication of the seccomp > task struct field and cred_guard_mutex. > > This includes a new syscall (instead of adding a new prctl option), > as suggested by Andy Lutomirski and Michael Kerrisk. I do not not see any problems in this version, Reviewed-by: Oleg Nesterov <oleg@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html