Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`

Next message: clubby789: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v7 2/2] net: dsa: mv88e6xxx: add support for credit based shaper"
In reply to: clubby789: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Next in thread: clubby789: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Lutomirski

Date: Fri Jun 12 2026 - 18:37:38 EST

On Fri, Jun 12, 2026 at 3:02 PM clubby789 <clubby789@xxxxxxxxx> wrote:
>
> On Fri, Jun 12, 2026 at 10:24 PM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> >
> > I wonder if It would be reasonable to have the kernel do this on
> > behalf of the user program that's asking for STRICT. The
> > implementation would probably be trivial.
>
> I experimented with this approach after the initial AI review, but it
> turned out surprisingly complex,
> requiring a decent amount of refactoring to allow installing
> kernel-resident programs.

Maybe so. But there is a function bpf_prog_create (as opposed to
bpf_prog_create_from_user).

> The filter
> itself is also rather complex (mostly due to needing to account for
> BPF jump sizes, which differ
> as different configs (uprobe, uretprobe, SECCOMP_ARCH_COMPAT) have
> different logic., and I'd worry about
> keeping logic synced.

Perhaps you and your AI could elaborate? What are these jump sizes?

In any case, I think the actual issue is that the STRICT filter's
failure case doesn't quite correspond to any of the FILTER actions.
So maybe it's too complex to be worthwhile.

--Andy