[PATCH RFC 2/2] seccomp: implement SECCOMP_FILTER_FLAG_NO_INHERITANCE
Paul Chaignon
paul.chaignon at gmail.com
Mon Nov 18 19:17:38 UTC 2019
On Mon, Nov 18, 2019 at 10:11:29PM +0300, Dmitry V. Levin wrote:
> On Mon, Nov 18, 2019 at 08:02:48PM +0100, Paul Chaignon wrote:
> > On Mon, Nov 18, 2019 at 09:39:41PM +0300, Dmitry V. Levin wrote:
> [...]
> > > Why can't we have only some of seccomp filters to be NO_FORK_INHERIT'ed?
> >
> > If we have filter list f1->nf2->f3, with only nf2 NO_FORK_INHERIT'ed, we
> > would need to make a copy of at least f1 upon forking to rewrite its .prev
> > pointer to point to f3 directly. Currently, children get a reference to
> > the list, there's no need for any filter copy.
>
> OK, we might need to make a copy, is it a problem?
We'll need to copy all of the filters before any NO_FORK_INHERIT'ed
filter. I thought that might add up to too much overhead, especially with
strace, where we're likely to install one of the last filters in the list
(since the first installed filter becomes the last of the list).
Paul
More information about the Strace-devel
mailing list