On Thu, Sep 24, 2020 at 02:45:45AM +0200, Jann Horn wrote: > On Thu, Sep 24, 2020 at 1:29 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > Provide seccomp internals with the details to calculate which syscall > > table the running kernel is expecting to deal with. This allows for > > efficient architecture pinning and paves the way for constant-action > > bitmaps. > [...] > > diff --git a/arch/x86/include/asm/seccomp.h b/arch/x86/include/asm/seccomp.h > [...] > > +#ifdef CONFIG_X86_64 > [...] > > +#else /* !CONFIG_X86_64 */ > > +# define SECCOMP_ARCH AUDIT_ARCH_I386 > > +#endif > > If we are on a 32-bit kernel, performing architecture number checks in > the kernel is completely pointless, because we know that there is only > a single architecture identifier under which syscalls can happen. > > While this patch is useful for enabling the bitmap logic in the > following patches, I think it adds unnecessary overhead in the context > of the previous patch. That's what the RFC was trying to do (avoid the logic if there is only a single arch known to the kernel). I will rework this a bit harder. :) -- Kees Cook _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers