Ingo Molnar <mingo@xxxxxxxxxx> writes: > * Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > >> The trouble with attributes is that means you can't filter your system >> call arguments with seccomp. [...] > > There's nothing keeping seccomp from securely fetching those arguments and > extending filtering to them as well ... > > Allowing that would make sense for a lot of other system calls as > well. Possibly. The challenge is that if the fetch for the kernel to use those arguments is different from the fetch of seccomp to test those arguments you have a time of test vs time of use race. Given the location of the seccomp hook at the kernel user space border there is no easy way for seccomp to share the fetch with the system call itself. So I don't see how seccomp could perform the fetch securely. Eric