Re: [PATCH v9 03/13] seccomp_filter: new mode with configurablesyscall filters

From: Kees Cook
Date: Fri Jun 24 2011 - 16:24:12 EST

Next message: Artem Bityutskiy: "Re: linux-next: Tree for June 24 (mtd + of)"
Previous message: Stephen Boyd: "Re: [RFC 0/8] Introducing a generic AMP/IPC framework"
In reply to: Damien Miller: "Re: [PATCH v9 03/13] seccomp_filter: new mode with configurablesyscall filters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Will,

On Thu, Jun 23, 2011 at 07:36:42PM -0500, Will Drewry wrote:
> This change adds a new seccomp mode which specifies the allowed system
> calls dynamically. When in the new mode (2), all system calls are
> checked against process-defined filters - first by system call number,
> then by a filter string. If an entry exists for a given system call and
> all filter predicates evaluate to true, then the task may proceed.
> Otherwise, the task is killed.
> [...]
> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>

Thanks for continuing to work on this. I look forward to being able to use
it. :)

Acked-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Artem Bityutskiy: "Re: linux-next: Tree for June 24 (mtd + of)"
Previous message: Stephen Boyd: "Re: [RFC 0/8] Introducing a generic AMP/IPC framework"
In reply to: Damien Miller: "Re: [PATCH v9 03/13] seccomp_filter: new mode with configurablesyscall filters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]