Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF

[PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andy Lutomirski <luto@amacapital.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Markus Gutschke <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Jonathan Corbet <corbet@lwn.net> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-06
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-11
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Michael Kerrisk (man-pages) <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Andrew Lutomirski <hidden> · 2012-04-12
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-16
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Rob Landley <hidden> · 2012-04-10
Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 05/15] seccomp: kill the seccomp_t typedef · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous. · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Eric Paris <eparis@redhat.com> · 2012-04-09
Re: [kernel-hardening] Re: [PATCH v17 09/15] seccomp: remove duplicated failure logging · Kees Cook <hidden> · 2012-04-09
[PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Vladimir Murzin <hidden> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-03-31
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Kees Cook <hidden> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · "H. Peter Anvin" <hpa@zytor.com> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Indan Zupancic <hidden> · 2012-04-08
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · James Morris <jmorris@namei.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Eric Dumazet <hidden> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Andrew Morton <akpm@linux-foundation.org> · 2012-04-10
Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF · Will Drewry <wad@chromium.org> · 2012-04-10
[PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Markus Gutschke <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Will Drewry <wad@chromium.org> · 2012-04-09
Re: [PATCH v17 15/15] Documentation: prctl/seccomp_filter · Ryan Ware <hidden> · 2012-04-10
[PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch · Will Drewry <wad@chromium.org> · 2012-04-09
[PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W · Will Drewry <wad@chromium.org> · 2012-03-29
[PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS · Will Drewry <wad@chromium.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-03-29
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · Andrew Morton <akpm@linux-foundation.org> · 2012-04-06
Re: [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering · James Morris <jmorris@namei.org> · 2012-04-09

From: Eric Dumazet <hidden>
Date: 2012-04-10 10:34:48
Also in: linux-arch, lkml

On Mon, 2012-04-09 at 04:22 +1000, Indan Zupancic wrote:

On Sat, April 7, 2012 06:23, Andrew Morton wrote:

quoted

I think this gives userspace an easy way of causing page allocation
failure warnings, by permitting large kmalloc() attempts.  Add
__GFP_NOWARN?

Max is 32kb. sk_attach_filter() in net/core/filter.c is worse,
it allocates up to 512kb before even checking the length.

I dont think so.

sk_attach_filter() uses sk_malloc() and it does a check.

# cat /proc/sys/net/core/optmem_max 
20480

Of course you can change the limit on your machine.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help