Hi, On Thu, May 12, 2011 at 09:48:50AM +0200, Ingo Molnar wrote: > 1) We already have a specific ABI for this: you can set filters for events via > an event fd. > > Why not extend that mechanism instead and improve *both* your sandboxing > bits and the events code? This new seccomp code has a lot more > to do with trace event filters than the minimal old seccomp code ... Would this require privileges to get the event fd to start with? If so, I would prefer to avoid that, since using prctl() as shown in the patch set won't require any privs. -Kees -- Kees Cook Ubuntu Security Team
