[PATCH RFC 0/4] Seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Sun Jul 14 10:40:50 UTC 2019
On Sun, Jul 14, 2019 at 01:23:20PM +0300, Dmitry V. Levin wrote:
> On Sun, Jul 14, 2019 at 11:35:09AM +0200, Paul Chaignon wrote:
> > On Sat, Jul 13, 2019 at 12:22:00PM +0200, Paul Chaignon wrote:
[...]
> > One thing I forgot: if the long term goal is to have seccomp filtering
> > enabled by default, we may want to be careful with the -n option. We will
> > likely want an option to disable seccomp filtering when that time comes.
> > Changing the behavior of -n to "disable seccomp filtering" is probably not
> > a good idea, so maybe -n should take a value {enable,disable}, with only
> > "enable" having an effect for now. Or we could add that value when
> > seccomp filtering becomes the default with -n remaining an alias for
> > "-n enable". What do you think?
>
> I agree, enable/disable would be better in the long term.
Ok. I'll change that.
> btw, why -n has been chosen?
I don't think there's a particular reason. I kept it from JingPiao's
original work. Do you have a more appropriate option in mind?
Paul
More information about the Strace-devel
mailing list