From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38613) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZglNP-0005QO-J3 for qemu-devel@nongnu.org; Mon, 28 Sep 2015 23:14:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZglNM-0007hx-Ab for qemu-devel@nongnu.org; Mon, 28 Sep 2015 23:14:47 -0400 Received: from www.safe-mail.net ([212.29.227.230]:54492 helo=tapuz.safe-mail.net) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZglNM-0007ge-2F for qemu-devel@nongnu.org; Mon, 28 Sep 2015 23:14:44 -0400 Date: Mon, 28 Sep 2015 23:14:42 -0400 From: "Namsun Ch'o" Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: pmoore@redhat.com Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com > My understanding of the config file you proposed is that it would allow the > configuration of a whitelist, so changes to the config very could result in > *less* strict of a filter, not always more. No. Any time an administrator wants a syscall that is not enabled in the sandbox, they either don't actually need it, or it's a bug and should be fixed. So all the config would do is add argument filters to syscalls which are already whitelisted. The alternative would be that the syscalls are given no further argument filtering. The config could only make the filteres more restrictive, never less. Perhaps there could be a #define somewhere that toggles whether or not a syscall argument filter can be created for a syscall which is not in the built-in whitelist, otherwise it would throw an error saying that you cannot create an argument filter for a syscall that is not permitted.