[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Kees Cook
kees.cook at canonical.com
Thu May 12 05:24:24 EDT 2011
Hi,
On Thu, May 12, 2011 at 09:48:50AM +0200, Ingo Molnar wrote:
> 1) We already have a specific ABI for this: you can set filters for events via
> an event fd.
>
> Why not extend that mechanism instead and improve *both* your sandboxing
> bits and the events code? This new seccomp code has a lot more
> to do with trace event filters than the minimal old seccomp code ...
Would this require privileges to get the event fd to start with? If so,
I would prefer to avoid that, since using prctl() as shown in the patch
set won't require any privs.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the linux-arm-kernel
mailing list