[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <874ou6kse9.fsf@basil.nowhere.org>
Date: Wed, 24 Jun 2009 09:22:38 +0200
From: Andi Kleen <andi@...stfloor.org>
To: David Thomas <davidleothomas@...il.com>
Cc: linux-kernel@...r.kernel.org
Subject: Re: Magic Security Dust: Appropriating SECCOMP
David Thomas <davidleothomas@...il.com> writes:
Normally it's better if you post example patches, even
if they're unclean.
> Moving the checks from the audit/trace code out to the
> individual syscalls means that each syscall we're doing one
Not sure that's a good idea. It would be lot of code churn
all over the tree and risk of not covering some new syscalls.
What I would do if I wanted a more flexible seccomp is to have a
"one bit for each syscall" bitmap (or rather two one for compat
another for non compat) that is checked by the audit code
and then just check all syscalls against that big bitmap.
Then have some way to configure that bitmap for groups
of processes.
-Andi
--
ak@...ux.intel.com -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists