[PATCH RFC 0/2] Allow seccomp filter to work without -f
Paul Chaignon
paul.chaignon at gmail.com
Mon Nov 11 15:19:17 UTC 2019
This patchset adds support in strace and the kernel for seccomp filter to
work without the -f option.
The second patch is for the kernel and based on Linus' tree. It
implements a new seccomp flag, SECCOMP_FILTER_FLAG_NO_INHERITANCE. When
given, children tasks don't inherit the filter. The first patch adds
support for this new flag in strace.
I am thinking of sending the kernel patch to the appropriate mailing list
only once --seccomp-bpf is out of experimental mode. I'm guessing we'll
have a better case that way.
Paul Chaignon (2):
filter_seccomp: use seccomp's NO_INHERIT flag when available
seccomp: implement SECCOMP_FILTER_FLAG_NO_INHERITANCE
filter_seccomp.c | 38 +++++++++++++++++++++++++---
filter_seccomp.h | 1 +
strace.1.in | 4 ++-
strace.c | 6 ++---
tests/Makefile.am | 1 +
tests/filter_seccomp-no-inherit.test | 26 +++++++++++++++++++
tests/options-syntax.test | 2 --
7 files changed, 68 insertions(+), 10 deletions(-)
create mode 100755 tests/filter_seccomp-no-inherit.test
--
2.17.1
More information about the Strace-devel
mailing list