Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality

From: Chris Metcalf
Date: Wed Mar 09 2016 - 16:06:28 EST

Next message: Eric W. Biederman: "Re: [PATCH 0/2] Fix debugfs bind mount regression"
Previous message: Jonathan Cameron: "Re: [PATCH v2 1/2] iio: core: introduce IIO_CHAN_INFO_SIGNED"
In reply to: Andy Lutomirski: "Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality"
Next in thread: Andy Lutomirski: "Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/9/2016 3:58 PM, Andy Lutomirski wrote:

My preference would be not to have to require all task-isolation users
>to also figure out all the complexities of creating BPF programs, so
>my intention is to have task isolation automatically generate a BPF
>program (just allowing prctl/exit/exit_group and failing everything
>else with SIGSYS). To support having it work this way, I open up
>the seccomp stuff a little so that kernel clients can effectively
>push/pop a BPF program into seccomp:

That sounds like a great use case for the new libtaskisolation that
someone is surely writing:)

Happily, task isolation is so simple an API that all that is needed is a prctl().

... Unless somehow a requirement to inflict a huge blob of eBPF into the kernel
just to use task isolation safely is added, of course :-)

--
Chris Metcalf, Mellanox Technologies
http://www.mellanox.com

Next message: Eric W. Biederman: "Re: [PATCH 0/2] Fix debugfs bind mount regression"
Previous message: Jonathan Cameron: "Re: [PATCH v2 1/2] iio: core: introduce IIO_CHAN_INFO_SIGNED"
In reply to: Andy Lutomirski: "Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality"
Next in thread: Andy Lutomirski: "Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]