Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Will Drewry <wad@xxxxxxxxxxxx>
Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
From: Arnd Bergmann <arnd@xxxxxxxx>
Date: Sun, 15 May 2011 08:42:07 +0200
Cc: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-mips@xxxxxxxxxxxxxx, linux-sh@xxxxxxxxxxxxxxx, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Frederic Weisbecker <fweisbec@xxxxxxxxx>, Heiko Carstens <heiko.carstens@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, Paul Mackerras <paulus@xxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, sparclinux@xxxxxxxxxxxxxxx, Jiri Slaby <jslaby@xxxxxxx>, linux-s390@xxxxxxxxxxxxxxx, Russell King <linux@xxxxxxxxxxxxxxxx>, x86@xxxxxxxxxx, jmorris@xxxxxxxxx, Ingo Molnar <mingo@xxxxxxxxxx>, Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxx>, "Serge E. Hallyn" <serge@xxxxxxxxxx>, Peter Zijlstra <a.p.zijlstra@xxxxxxxxx>, microblaze-uclinux@xxxxxxxxxxxxxx, Steven Rostedt <rostedt@xxxxxxxxxxx>, Martin Schwidefsky <schwidefsky@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, kees.cook@xxxxxxxxxxxxx, Roland McGrath <roland@xxxxxxxxxx>, Michal Marek <mmarek@xxxxxxx>, Michal Simek <monstr@xxxxxxxxx>, linuxppc-dev@xxxxxxxxxxxxxxxx, Oleg Nesterov <oleg@xxxxxxxxxx>, Ralf Baechle <ralf@xxxxxxxxxxxxxx>, Paul Mundt <lethal@xxxxxxxxxxxx>, Tejun Heo <tj@xxxxxxxxxx>, linux390@xxxxxxxxxx, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, agl@xxxxxxxxxxxx, "David S. Miller" <davem@xxxxxxxxxxxxx>
In-reply-to: <BANLkTinukLesDoXzXKdtdRwgHtJkthXK0A@xxxxxxxxxxxxxx>
User-agent: KMail/1.12.2 (Linux/2.6.37; KDE/4.3.2; x86_64; ; )

On Saturday 14 May 2011, Will Drewry wrote:
> Depending on integration, it could even be limited to ioctl commands
> that are appropriate to a known fd if the fd is opened prior to
> entering seccomp mode 2. Alternatively, __NR__ioctl could be allowed
> with a filter of "1" then narrowed through a later addition of
> something like "(fd == %u && (cmd == %u || cmd == %u))" or something
> along those lines.
> 
> Does that make sense?

Thanks for the explanation. This sounds like it's already doing all
we need.

	Arnd

Follow-Ups:
- Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
  - From: Ingo Molnar

References:
- Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
  - From: Arnd Bergmann
- Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
  - From: Will Drewry

Prev by Date: reference to non-existent CONFIG_HAVE_GPIO_LIB variable?
Next by Date: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Previous by thread: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Next by thread: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Index(es):
- Date
- Thread

[Index of Archives] [Linux MIPS Home] [LKML Archive] [Linux ARM Kernel] [Linux ARM] [Linux] [Git] [Yosemite News] [Linux SCSI] [Linux Hams]