Re: [PATCH] seccomp: plug syscall-dodging ptrace hole

From: Andy Lutomirski
Date: Fri May 27 2016 - 16:15:04 EST

Next message: Shi, Yang: "Re: [PATCH] mm: check the return value of lookup_page_ext for all call sites"
Previous message: Arnd Bergmann: "Re: [GIT PULL] kbuild updates for v4.7-rc1"
In reply to: Andy Lutomirski: "Re: [PATCH] seccomp: plug syscall-dodging ptrace hole"
Next in thread: Kees Cook: "Re: [PATCH] seccomp: plug syscall-dodging ptrace hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 27, 2016 at 12:52 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> Right, I know, it's aesthetically much nicer that way, but I really
>> want to stay totally paranoid and keep seccomp absolutely first on the
>> path.
>>
>> How about this: we'll use this patch as-is for now, since I'd like to
>> be able to start getting feedback from the container-using folks ASAP,
>> and then we can redesign the 2-phase system going forward from there.
>>
>
> I think I'd rather change the ABI as few times as possible. On the
> other hand, it's still early, and I see nothing wrong with adding it
> to -next.

To get the ball rolling:

https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/log/?h=seccomp

It's incomplete, but it should be straightforward to finish it. The
only interesting bit is dealing with SECCOMP_RET_TRACE.

--Andy

Next message: Shi, Yang: "Re: [PATCH] mm: check the return value of lookup_page_ext for all call sites"
Previous message: Arnd Bergmann: "Re: [GIT PULL] kbuild updates for v4.7-rc1"
In reply to: Andy Lutomirski: "Re: [PATCH] seccomp: plug syscall-dodging ptrace hole"
Next in thread: Kees Cook: "Re: [PATCH] seccomp: plug syscall-dodging ptrace hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]