On Wed, Mar 9, 2016 at 1:05 PM, Chris Metcalf <cmetcalf@xxxxxxxxxxxx> wrote:
On 3/9/2016 3:58 PM, Andy Lutomirski wrote:BPF, not eBPF. Also, it's a tiny blob.
My preference would be not to have to require all task-isolation usersThat sounds like a great use case for the new libtaskisolation that
to also figure out all the complexities of creating BPF programs, so
my intention is to have task isolation automatically generate a BPF
program (just allowing prctl/exit/exit_group and failing everything
else with SIGSYS). To support having it work this way, I open up
the seccomp stuff a little so that kernel clients can effectively
push/pop a BPF program into seccomp:
someone is surely writing:)
Happily, task isolation is so simple an API that all that is needed is a
... Unless somehow a requirement to inflict a huge blob of eBPF into the
kernel just to use task isolation safely is added, of course :-)
And this still has nothing to do with using it safely. This has to do
with catching your own bugs.