Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`

Next message: Sebastian Reichel: "Re: [PATCH v2] power: supply: charger-manager: fix refcount leak in is_full_charged()"
Previous message: Dan Williams (nvidia): "Re: [PATCH 00/15] Enable TDX Module Extensions and DICE-based TDX Quoting"
In reply to: Andy Lutomirski: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Next in thread: Andy Lutomirski: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: clubby789

Date: Fri Jun 12 2026 - 18:03:34 EST

On Fri, Jun 12, 2026 at 10:24 PM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>
> I wonder if It would be reasonable to have the kernel do this on
> behalf of the user program that's asking for STRICT. The
> implementation would probably be trivial.

I experimented with this approach after the initial AI review, but it
turned out surprisingly complex,
requiring a decent amount of refactoring to allow installing
kernel-resident programs. The filter
itself is also rather complex (mostly due to needing to account for
BPF jump sizes, which differ
as different configs (uprobe, uretprobe, SECCOMP_ARCH_COMPAT) have
different logic., and I'd worry about
keeping logic synced.
If that approach is worth pursuing though, I can submit that version
of this patch.

- Jamie