public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Andi Kleen <andi@firstfloor.org>
To: David Thomas <davidleothomas@gmail.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Magic Security Dust: Appropriating SECCOMP
Date: Wed, 24 Jun 2009 09:22:38 +0200	[thread overview]
Message-ID: <874ou6kse9.fsf@basil.nowhere.org> (raw)
In-Reply-To: <3a8893170906232205x18417861v446a2905a4ccf21@mail.gmail.com> (David Thomas's message of "Wed, 24 Jun 2009 01:05:30 -0400")

David Thomas <davidleothomas@gmail.com> writes:

Normally it's better if you post example patches, even
if they're unclean. 

> Moving the checks from the audit/trace code out to the
> individual syscalls means that each syscall we're doing one

Not sure that's a good idea. It would be lot of code churn
all over the tree and risk of not covering some new syscalls.

What I would do if I wanted a more flexible seccomp is to have a
"one bit for each syscall" bitmap (or rather two one for compat
another for non compat) that is checked by the audit code
and then just check all syscalls against that big bitmap.
Then have some way to configure that bitmap for groups
of processes.

-Andi


-- 
ak@linux.intel.com -- Speaking for myself only.

  parent reply	other threads:[~2009-06-24  7:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-24  5:05 Magic Security Dust: Appropriating SECCOMP David Thomas
2009-06-22 18:31 ` Pavel Machek
2009-06-24  7:22 ` Andi Kleen [this message]
2009-06-24 16:04 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874ou6kse9.fsf@basil.nowhere.org \
    --to=andi@firstfloor.org \
    --cc=davidleothomas@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox