From: Florian Weimer <fweimer@redhat.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>, Huacai Chen <chenhuacai@gmail.com>,
Huacai Chen <chenhuacai@loongson.cn>,
Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
David Airlie <airlied@linux.ie>, Jonathan Corbet <corbet@lwn.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-arch <linux-arch@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Xuefeng Li <lixuefeng@loongson.cn>,
Yanteng Si <siyanteng@loongson.cn>, Guo Ren <guoren@kernel.org>,
Xuerui Wang <kernel@xen0n.name>,
Jiaxun Yang <jiaxun.yang@flygoat.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH V9 13/24] LoongArch: Add system call support
Date: Wed, 11 May 2022 18:17:09 +0200 [thread overview]
Message-ID: <87bkw4doxm.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <20220509100058.vmrgn5fkk3ayt63v@wittgenstein> (Christian Brauner's message of "Mon, 9 May 2022 12:00:58 +0200")
* Christian Brauner:
> Without an approach like this certain sandboxes will fallback to
> ENOSYSing system calls they can't filter. This is a generic problem
> though with clone3() being one promiment example.
Furthermore, for glibc (and I believe musl as well), the trick with
in-process emulation of clone3 using SIGSYS does not work here because
we must inhibit delivery of signals on the nascent thread, before it is
fully set up. This means that we have to block signals around the
clone/clone3 system call, so that the new thread is created with all
signals blocked. This means that instead of calling the SIGSYS handler,
the filtered system call simply terminates the process.
(I think there have been discussions of using out-of-process filtering,
but I don't know where we are with that.)
Thanks,
Florian
prev parent reply other threads:[~2022-05-11 16:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220430090518.3127980-1-chenhuacai@loongson.cn>
[not found] ` <20220430090518.3127980-14-chenhuacai@loongson.cn>
[not found] ` <CAK8P3a0A9dW4mwJ6JHDiJxizL7vWfr4r4c5KhbjtAY0sWbZJVA@mail.gmail.com>
[not found] ` <CAAhV-H4te_+AS69viO4eBz=abBUm5oQ6AfoY1Cb+nOCZyyeMdA@mail.gmail.com>
2022-04-30 10:34 ` [PATCH V9 13/24] LoongArch: Add system call support Arnd Bergmann
2022-05-07 12:11 ` Christian Brauner
2022-05-09 10:00 ` Christian Brauner
2022-05-11 7:11 ` Arnd Bergmann
2022-05-11 21:12 ` [musl] " Rich Felker
2022-05-12 7:21 ` Arnd Bergmann
2022-05-12 12:11 ` Rich Felker
2022-05-11 16:17 ` Florian Weimer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkw4doxm.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=airlied@linux.ie \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=chenhuacai@gmail.com \
--cc=chenhuacai@loongson.cn \
--cc=corbet@lwn.net \
--cc=guoren@kernel.org \
--cc=jiaxun.yang@flygoat.com \
--cc=kernel@xen0n.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lixuefeng@loongson.cn \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=siyanteng@loongson.cn \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).