[PATCH v3 0/2] filter_seccomp: new bpf generation strategy

Paul Chaignon paul.chaignon at gmail.com
Mon Nov 4 11:36:07 UTC 2019

On Sun, Nov 03, 2019 at 07:01:24PM +0300, Dmitry V. Levin wrote:
> On Thu, Oct 31, 2019 at 08:55:12PM +0100, Paul Chaignon wrote:


> > Paul Chaignon (2):
> >   filter_seccomp: list of seccomp filter generation strategies
> >   filter_seccomp: binary match generation strategy
> >
> >  filter_seccomp.c | 207 ++++++++++++++++++++++++++++++++++++++++++++---
> >  1 file changed, 195 insertions(+), 12 deletions(-)
> It's now merged into master, thanks!


> We still can do better with test coverage of these new features, though.

Any specific cases you'd like us to test?

The third test case in tests/filter_seccomp.in should already be
triggering the use of the new binary match strategy.  (Not that I think
it's enough.)

Some of the corner cases are also a bit hard to test (e.g., jump offset
overflow and oversized filter) because I currently am unable to come up
with a trace set that triggers them.

I had a look at the Codecov reporting, but it looks kinda weird:
exec_or_die() is supposedly never executed, as if Codecov is only tracing
the tracer process...?


More information about the Strace-devel mailing list