lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250911175215.147938-1-tom.hromatka@oracle.com>
Date: Thu, 11 Sep 2025 17:50:32 +0000
From: Tom Hromatka <tom.hromatka@...cle.com>
To: tom.hromatka@...cle.com, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        bpf@...r.kernel.org
Cc: kees@...nel.org, luto@...capital.net, wad@...omium.org, corbet@....net,
        shuah@...nel.org, brauner@...nel.org
Subject: [PATCH v2 0/1] seccomp: Add SECCOMP_CLONE_FILTER operation

Add an operation, SECCOMP_CLONE_FILTER, that can copy the seccomp
filters from another process to the current process.

Changes from v1 to v2:
* Fixed locking issues.  Thanks Al, Alexei, and Kees :)
* Allow filters to be cloned if CAP_SYS_ADMIN or no new privs
  is set
  * I initially had only CAP_SYS_ADMIN, but I can't think of a
    way no new privs is harmful here, so I added it. Thanks, Kees
* Switch to passing in pidfd directly rather than a pointer to a
  pidfd
  * This more closely aligns with other pidfd syscalls
* Fixed warning in the sample code reported by the test robot
* Various cleanups and improvements in the selftest

Note that I left in the restriction that the target process
has no seccomp filters already loaded.  I could see this
limitation being removed in a later patchset, but there are
requests for this feature at present.

Finally, I re-ran the performance numbers and updated the patch
with the latest numbers.  The locking changes significantly sped
up the clone operation, and it's now ~1900x faster than the
current method.

Tom Hromatka (1):
  seccomp: Add SECCOMP_CLONE_FILTER operation

 .../userspace-api/seccomp_filter.rst          |  10 ++
 include/uapi/linux/seccomp.h                  |   1 +
 kernel/seccomp.c                              |  48 ++++++
 samples/seccomp/.gitignore                    |   1 +
 samples/seccomp/Makefile                      |   2 +-
 samples/seccomp/clone-filter.c                | 150 ++++++++++++++++++
 tools/include/uapi/linux/seccomp.h            |   1 +
 tools/testing/selftests/seccomp/seccomp_bpf.c | 114 +++++++++++++
 8 files changed, 326 insertions(+), 1 deletion(-)
 create mode 100644 samples/seccomp/clone-filter.c

-- 
2.47.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ