From: Christian Brauner <christian.brauner@canonical.com>
To: Tycho Andersen <tycho@tycho.ws>
Cc: linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Subject: Re: [RFC 0/3] seccomp trap to userspace
Date: Thu, 15 Mar 2018 17:09:25 +0100 [thread overview]
Message-ID: <20180315160924.GA12744@gmail.com> (raw)
In-Reply-To: <20180204104946.25559-1-tycho@tycho.ws>
On Sun, Feb 04, 2018 at 11:49:43AM +0100, Tycho Andersen wrote:
> Several months ago at Linux Plumber's, we had a discussion about adding a
> feature to seccomp which would allow seccomp to trigger a notification for some
> other process. Here's a draft of that feature.
>
> Patch 1 contains the bulk of it, patches 2 & 3 offer an alternative way to
> acquire the fd that receives notifications via ptrace (the method in patch 1
> poses some problems). Other suggestions for how to acquire one of these fds
> would be welcome.
>
> Take a close look at the synchronization. I think I've got it right, but I
> probably don't :)
>
> Thanks!
>
> Tycho Andersen (3):
> seccomp: add a return code to trap to userspace
> seccomp: hoist out filter resolving logic
> seccomp: add a way to get a listener fd from ptrace
>
> arch/Kconfig | 7 +
> include/linux/seccomp.h | 14 +-
> include/uapi/linux/ptrace.h | 1 +
> include/uapi/linux/seccomp.h | 18 +-
> kernel/ptrace.c | 4 +
> kernel/seccomp.c | 467 ++++++++++++++++++++++++--
> tools/testing/selftests/seccomp/seccomp_bpf.c | 180 +++++++++-
> 7 files changed, 653 insertions(+), 38 deletions(-)
Hey,
So, I've been following the discussion silently in the background and I
see that it got sidetracked into seccomp + ebpf. While I can see that
there is value in adding epbf support to seccomp I'd really like to see
this decoupled from this patchset. Afaict, this patchset would just work
fine without the ebpf portion (but I might be just have missed the
point). So if possible I would like to see a second version of this with
the comments accounted for and - if possible - have this up for merging
independent of the ebpf patchset that's floating around.
Christian
next prev parent reply other threads:[~2018-03-15 16:09 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-04 10:49 [RFC 0/3] seccomp trap to userspace Tycho Andersen
2018-02-04 10:49 ` [RFC 1/3] seccomp: add a return code to " Tycho Andersen
2018-02-13 21:09 ` Kees Cook
[not found] ` <CAGXu5jLAAKY19a9iC1PmXRyuwdn1Zxr2Cb318zdzkqgYt8vtdg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:29 ` Tycho Andersen
2018-02-14 15:29 ` Tycho Andersen
2018-02-14 17:19 ` Andy Lutomirski
[not found] ` <CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 17:23 ` Tycho Andersen
2018-02-15 14:48 ` Christian Brauner
2018-02-27 0:49 ` Kees Cook
2018-02-14 17:23 ` Tycho Andersen
2018-02-15 14:48 ` Christian Brauner
2018-02-27 0:49 ` Kees Cook
[not found] ` <CAGXu5jKBmej+fXhEc+Jy7Guy+vXEZkHnc=4LNm1NNEsc1=DFVA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 3:27 ` Andy Lutomirski
2018-02-27 3:27 ` Andy Lutomirski
2018-02-14 17:19 ` Andy Lutomirski
[not found] ` <20180204104946.25559-2-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 17:36 ` Andy Lutomirski
2018-02-04 17:36 ` Andy Lutomirski
[not found] ` <CALCETrWgu5n+SMqrsZQ7MVYPtzs8otuc7hpA5uPH+JNtFrMBkQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-04 20:01 ` Tycho Andersen
2018-02-04 20:01 ` Tycho Andersen
2018-02-04 20:33 ` Andy Lutomirski
[not found] ` <CALCETrV81yr_zhuBbCTE8NgYx42oq=qvP=nLMsST0iS2wtOZng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-05 8:47 ` Tycho Andersen
2018-02-05 8:47 ` Tycho Andersen
2018-02-04 20:33 ` Andy Lutomirski
2018-02-13 21:09 ` Kees Cook
2018-02-04 10:49 ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
[not found] ` <20180204104946.25559-3-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:29 ` Kees Cook
2018-02-13 21:29 ` Kees Cook
2018-02-14 15:33 ` Tycho Andersen
2018-02-14 15:33 ` Tycho Andersen
[not found] ` <20180204104946.25559-1-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 10:49 ` [RFC 1/3] seccomp: add a return code to trap to userspace Tycho Andersen
2018-02-04 10:49 ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
2018-02-04 10:49 ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-03-15 16:09 ` [RFC 0/3] seccomp trap to userspace Christian Brauner
2018-02-04 10:49 ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
[not found] ` <20180204104946.25559-4-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:32 ` Kees Cook
2018-02-13 21:32 ` Kees Cook
[not found] ` <CAGXu5jLS2dzCjZOKa-W4kUdOPoJkRAq5Rsw1t5jX99v34yaoQw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:33 ` Tycho Andersen
2018-02-14 15:33 ` Tycho Andersen
2018-03-15 16:09 ` Christian Brauner [this message]
[not found] ` <20180315160924.GA12744-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 16:56 ` [RFC 0/3] seccomp trap to userspace Andy Lutomirski
2018-03-15 16:56 ` Andy Lutomirski
2018-03-15 17:05 ` Serge E. Hallyn
[not found] ` <20180315170509.GA32766-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2018-03-15 17:11 ` Andy Lutomirski
2018-03-15 17:11 ` Andy Lutomirski
2018-03-15 17:35 ` Tycho Andersen
2018-03-16 0:46 ` Andy Lutomirski
2018-03-16 0:46 ` Andy Lutomirski
[not found] ` <CALCETrWH7HbY2gS6O_cYKfp9QqqWBWVcHb++GaP3uUiSO9oo6g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-16 14:47 ` Christian Brauner
2018-03-16 14:47 ` Christian Brauner
2018-03-16 16:01 ` Andy Lutomirski
2018-03-16 16:40 ` Christian Brauner
[not found] ` <D73E5C37-DC92-4D58-A163-0B20143AAEEB-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-03-16 16:40 ` Christian Brauner
[not found] ` <20180316144751.GA3304-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
2018-03-16 16:01 ` Andy Lutomirski
[not found] ` <CALCETrXPcCNbpFJhXktkVS9gOPpmnU_bbY6Z8RrsBarq0dP4Lg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:25 ` Christian Brauner
2018-03-15 17:25 ` Christian Brauner
[not found] ` <20180315172558.GA28108-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 17:30 ` Andy Lutomirski
2018-03-15 17:30 ` Andy Lutomirski
2018-03-15 17:35 ` Tycho Andersen
[not found] ` <CALCETrVnvbZLx5v=DMu2N1JtR+ys507X5CYBi-qQnus3VMQdwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:05 ` Serge E. Hallyn
-- strict thread matches above, loose matches on Subject: below --
2018-02-04 10:49 Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180315160924.GA12744@gmail.com \
--to=christian.brauner@canonical.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tycho@tycho.ws \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.