[PATCH v6 1/3] Introduce seccomp-assisted syscall filtering
Dmitry V. Levin
ldv at altlinux.org
Mon Sep 23 10:25:20 UTC 2019
On Mon, Sep 23, 2019 at 11:44:28AM +0200, Paul Chaignon wrote:
> On Mon, Sep 23, 2019 at 12:28:44PM +0300, Dmitry V. Levin wrote:
> > On Mon, Sep 23, 2019 at 10:04:15AM +0200, Paul Chaignon wrote:
> > > On Mon, Sep 23, 2019 at 12:22:09AM +0300, Dmitry V. Levin wrote:
> > > > On Mon, Sep 23, 2019 at 12:00:54AM +0300, Dmitry V. Levin wrote:
> > > > > On Sun, Sep 22, 2019 at 10:13:29PM +0200, Paul Chaignon wrote:
> > > > [...]
> > > > > > + if (seccomp_filtering) {
> > > > > > + if ((opt_p && !argc) || debug_flag)
> > > > >
> > > > > I think we can avoid introducing opt_p and check nprocs instead.
> > > > >
> > > > > > + error_msg("-n is ineffective on processes attached with -p");
> > > > >
> > > > > It's not just ineffective, it's not enabled for these processes.
> > > >
> > > > Looks like it makes sense to print diagnostics regardless of argc and
> > > > debug_flag.
> > >
> > > Since strace -fn -p $(pidof ...) cmd is a legitimate use of strace and the
> > > new feature, I thought we might not want to print a warning every single
> > > time someone uses that command. That's why I switched to a debug message
> > > when both -p and cmd are used.
> >
> > In that case the check should rather be (!argc || debug_flag).
>
> Ouch! Yes.
Or even (!argc || (nprocs && debug_flag)).
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190923/07f8a1b9/attachment.bin>
More information about the Strace-devel
mailing list