[PATCH v6 1/3] Introduce seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Mon Sep 23 10:48:01 UTC 2019


On Mon, Sep 23, 2019 at 01:25:20PM +0300, Dmitry V. Levin wrote:
> On Mon, Sep 23, 2019 at 11:44:28AM +0200, Paul Chaignon wrote:
> > On Mon, Sep 23, 2019 at 12:28:44PM +0300, Dmitry V. Levin wrote:
> > > On Mon, Sep 23, 2019 at 10:04:15AM +0200, Paul Chaignon wrote:
> > > > On Mon, Sep 23, 2019 at 12:22:09AM +0300, Dmitry V. Levin wrote:
> > > > > On Mon, Sep 23, 2019 at 12:00:54AM +0300, Dmitry V. Levin wrote:
> > > > > > On Sun, Sep 22, 2019 at 10:13:29PM +0200, Paul Chaignon wrote:
> > > > > [...]
> > > > > > > +	if (seccomp_filtering) {
> > > > > > > +		if ((opt_p && !argc) || debug_flag)
> > > > > > 
> > > > > > I think we can avoid introducing opt_p and check nprocs instead.
> > > > > > 
> > > > > > > +			error_msg("-n is ineffective on processes attached with -p");
> > > > > > 
> > > > > > It's not just ineffective, it's not enabled for these processes.
> > > > > 
> > > > > Looks like it makes sense to print diagnostics regardless of argc and
> > > > > debug_flag.
> > > > 
> > > > Since strace -fn -p $(pidof ...) cmd is a legitimate use of strace and the
> > > > new feature, I thought we might not want to print a warning every single
> > > > time someone uses that command.  That's why I switched to a debug message
> > > > when both -p and cmd are used.
> > > 
> > > In that case the check should rather be (!argc || debug_flag).
> > 
> > Ouch!  Yes.
> 
> Or even (!argc || (nprocs && debug_flag)).

I went with (nprocs && (!argc || debug_flag)).  That way it does not
depend on the order of the argc/nprocs checks.

Paul


More information about the Strace-devel mailing list