[PATCH RFC 0/4] Seccomp-assisted syscall filtering
Dmitry V. Levin
ldv at altlinux.org
Sun Jul 14 10:51:14 UTC 2019
On Sun, Jul 14, 2019 at 12:40:50PM +0200, Paul Chaignon wrote:
> On Sun, Jul 14, 2019 at 01:23:20PM +0300, Dmitry V. Levin wrote:
> > On Sun, Jul 14, 2019 at 11:35:09AM +0200, Paul Chaignon wrote:
> > > On Sat, Jul 13, 2019 at 12:22:00PM +0200, Paul Chaignon wrote:
>
> [...]
>
> > > One thing I forgot: if the long term goal is to have seccomp filtering
> > > enabled by default, we may want to be careful with the -n option. We will
> > > likely want an option to disable seccomp filtering when that time comes.
> > > Changing the behavior of -n to "disable seccomp filtering" is probably not
> > > a good idea, so maybe -n should take a value {enable,disable}, with only
> > > "enable" having an effect for now. Or we could add that value when
> > > seccomp filtering becomes the default with -n remaining an alias for
> > > "-n enable". What do you think?
> >
> > I agree, enable/disable would be better in the long term.
>
> Ok. I'll change that.
>
> > btw, why -n has been chosen?
>
> I don't think there's a particular reason. I kept it from JingPiao's
> original work. Do you have a more appropriate option in mind?
Choosing appropriate names is one of the hardest problems in software
programming. :)
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190714/2439b483/attachment.bin>
More information about the Strace-devel
mailing list