Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system callfiltering

From: Steven Rostedt
Date: Thu Apr 28 2011 - 12:28:23 EST

Next message: Randy Dunlap: "Re: linux-next: Tree for April 28 (staging/wlan-ng: prism2)"
Previous message: Dmitry Torokhov: "Re: [PATCH] Input: h3600_ts_input - bugfix forrequest_irq()/free_irq() parameters"
In reply to: Will Drewry: "Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering"
Next in thread: Will Drewry: "Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2011-04-27 at 22:08 -0500, Will Drewry wrote:

> The only other twist is that it is possible to delay enforcement by one
> system call by supplying a "on_next_syscall: 1" 'filter'. This allows
> for a launcher process to fork(), prctl(), then execve() leaving the
> launched binary in a filtered state.

I wonder if the more "unixy" thing to do is, instead of on_next_sycall,
have "enable_on_exec". Where the user could do multiple syscalls but the
filter will not take place until an exec is made?

-- Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Randy Dunlap: "Re: linux-next: Tree for April 28 (staging/wlan-ng: prism2)"
Previous message: Dmitry Torokhov: "Re: [PATCH] Input: h3600_ts_input - bugfix forrequest_irq()/free_irq() parameters"
In reply to: Will Drewry: "Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering"
Next in thread: Will Drewry: "Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]