[PATCH RFC 2/2] seccomp: implement SECCOMP_FILTER_FLAG_NO_INHERITANCE
Paul Chaignon
paul.chaignon at gmail.com
Fri Nov 15 13:21:18 UTC 2019
On Thu, Nov 14, 2019 at 09:44:52PM +0300, Dmitry V. Levin wrote:
> On Thu, Nov 14, 2019 at 07:06:21PM +0100, Paul Chaignon wrote:
[...]
> > > > diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
> > > > index 90734aa5aa36..e7f715fb7b34 100644
> > > > --- a/include/uapi/linux/seccomp.h
> > > > +++ b/include/uapi/linux/seccomp.h
> > > > @@ -22,6 +22,7 @@
> > > > #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
> > > > #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
> > > > #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
> > > > +#define SECCOMP_FILTER_FLAG_NO_INHERIT (1UL << 4)
> > >
> > > NO_INHERIT is too generic, it doesn't clearly say that we want to skip
> > > fork inheritance.
> >
> > I'm not sure I understand. Is there another type of inheritance for
> > seccomp filters that I missed?
>
> No, I don't think we care about any other type of inheritance, but this is
> not my point. I mean it would be nice (although not necessary) if the
> name itself was explicit about the kind of inheritance being skipped.
I thought NO_FORK_INHERIT would be too long, but I don't really care
either way. I'll make the change.
Paul
More information about the Strace-devel
mailing list