Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter

[PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andy Lutomirski <luto@amacapital.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Jonathan Corbet <corbet@lwn.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-11
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-16
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 05/15] seccomp: kill the seccomp_t typedef · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous. · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Eric Paris <eparis@redhat.com> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
[PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Vladimir Murzin <hidden> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Kees Cook <hidden> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · "H. Peter Anvin" <hpa@zytor.com> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Indan Zupancic <hidden> · 2012-04-08
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · James Morris <jmorris@namei.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Eric Dumazet <hidden> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Markus Gutschke <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-10
[PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-04-09

From: Will Drewry <wad@chromium.org>
Date: 2012-04-09 19:46:41
Also in: linux-arch, lkml

On Fri, Apr 6, 2012 at 4:26 PM, Andrew Morton [off-list ref] wrote:

On Thu, 29 Mar 2012 15:02:00 -0500
Will Drewry [off-list ref] wrote:

quoted

Documents how system call filtering using Berkeley Packet
Filter programs works and how it may be used.
Includes an example for x86 and a semi-generic
example using a macro-based code generator.


...

+Adding architecture support
+-----------------------
+
+See arch/Kconfig for the authoritative requirements.  In general, if an
+architecture supports both ptrace_event and seccomp, it will be able to
+support seccomp filter with minor fixup: SIGSYS support and seccomp return
+value checking.  Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER
+to its arch-specific Kconfig.

diff --git a/samples/Makefile b/samples/Makefile
index 2f75851..5ef08bb 100644
--- a/samples/Makefile
+++ b/samples/Makefile

Oh good, I was going to ask about that.

Can we get this code into tools/testing/selftests?  That way people
will run it more often and it's more likely to be maintained as the
code evolves.

I'm currently using a lightweight testsuite in addition to the
samples.  It's a little more oriented at pass/fail behavior.  Would it
be more appropriate to post those in addition to, or instead of,
samples?

thanks!

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help