[PATCH v4 2/4] Introduce seccomp-assisted syscall filtering
Dmitry V. Levin
ldv at altlinux.org
Mon Sep 2 12:56:27 UTC 2019
On Thu, Aug 29, 2019 at 04:00:24PM +0200, Paul Chaignon wrote:
[...]
> + if (seccomp_filtering) {
> + /*
> + * Syscall and seccomp stops can happen in different
> + * orders depending on kernel. strace tests this in
> + * check_seccomp_order_tracer().
> + *
> + * Linux 3.5--4.7:
> + * (seccomp-stop before syscall-entry-stop)
> + * +--> seccomp-stop ->-PTRACE_SYSCALL->-+
> + * | |
> + * PTRACE_CONT syscall-entry-stop
> + * | |
> + * syscall-exit-stop <---PTRACE_SYSCALL-----<----+
> + *
> + * Linux 4.8+:
> + * (seccomp-stop after syscall-entry-stop)
> + * syscall-entry-stop
> + *
> + * +---->-----PTRACE_CONT---->----+
> + * | |
> + * syscall-exit-stop seccomp-stop
> + * | |
> + * +----<----PTRACE_SYSCALL---<---+
> + *
> + * Note in Linux 4.8+, we restart in PTRACE_CONT after
> + * syscall-exit to skip the syscall-entry-stop. The
> + * next seccomp-stop will be treated as a syscall
> + * entry.
> + *
> + * The below line implements this behavior. Note
> + * exiting(current_tcp) actually marks a
> + * syscall-entry-stop because the flag was inverted in
> + * the above call to trace_syscall.
> + */
I like ASCII graphics, but it contains trailing whitespaces rejected
by my pre-commit hook.
Try "git config --global apply.whitespace error-all".
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190902/1a337778/attachment.bin>
More information about the Strace-devel
mailing list