Re: [PATCH V9 13/24] LoongArch: Add system call support

From: Florian Weimer
Date: Wed May 11 2022 - 12:17:50 EST

Next message: Daniel Borkmann: "Re: [PATCH] bpf.h: fix clang compiler warning with unpriv_ebpf_notify()"
Previous message: Sireesh Kodali: "[PATCH 9/9] arm64: dts: qcom: msm8953: Add remote processor nodes"
In reply to: Rich Felker: "Re: [musl] Re: [PATCH V9 13/24] LoongArch: Add system call support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Christian Brauner:

> Without an approach like this certain sandboxes will fallback to
> ENOSYSing system calls they can't filter. This is a generic problem
> though with clone3() being one promiment example.

Furthermore, for glibc (and I believe musl as well), the trick with
in-process emulation of clone3 using SIGSYS does not work here because
we must inhibit delivery of signals on the nascent thread, before it is
fully set up. This means that we have to block signals around the
clone/clone3 system call, so that the new thread is created with all
signals blocked. This means that instead of calling the SIGSYS handler,
the filtered system call simply terminates the process.

(I think there have been discussions of using out-of-process filtering,
but I don't know where we are with that.)

Thanks,
Florian

Next message: Daniel Borkmann: "Re: [PATCH] bpf.h: fix clang compiler warning with unpriv_ebpf_notify()"
Previous message: Sireesh Kodali: "[PATCH 9/9] arm64: dts: qcom: msm8953: Add remote processor nodes"
In reply to: Rich Felker: "Re: [musl] Re: [PATCH V9 13/24] LoongArch: Add system call support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]