[PATCH RFC 0/4] Seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Sun Jul 14 10:51:14 UTC 2019


On Sun, Jul 14, 2019 at 12:40:50PM +0200, Paul Chaignon wrote:
> On Sun, Jul 14, 2019 at 01:23:20PM +0300, Dmitry V. Levin wrote:
> > On Sun, Jul 14, 2019 at 11:35:09AM +0200, Paul Chaignon wrote:
> > > On Sat, Jul 13, 2019 at 12:22:00PM +0200, Paul Chaignon wrote:
> 
> [...]
> 
> > > One thing I forgot: if the long term goal is to have seccomp filtering
> > > enabled by default, we may want to be careful with the -n option.  We will
> > > likely want an option to disable seccomp filtering when that time comes.
> > > Changing the behavior of -n to "disable seccomp filtering" is probably not
> > > a good idea, so maybe -n should take a value {enable,disable}, with only
> > > "enable" having an effect for now.  Or we could add that value when
> > > seccomp filtering becomes the default with -n remaining an alias for
> > > "-n enable".  What do you think?
> > 
> > I agree, enable/disable would be better in the long term.
> 
> Ok.  I'll change that.
> 
> > btw, why -n has been chosen?
> 
> I don't think there's a particular reason.  I kept it from JingPiao's
> original work.  Do you have a more appropriate option in mind?

Choosing appropriate names is one of the hardest problems in software
programming. :)


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190714/2439b483/attachment.bin>


More information about the Strace-devel mailing list