[PATCH v6 1/3] Introduce seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Mon Sep 23 10:48:01 UTC 2019
On Mon, Sep 23, 2019 at 01:25:20PM +0300, Dmitry V. Levin wrote:
> On Mon, Sep 23, 2019 at 11:44:28AM +0200, Paul Chaignon wrote:
> > On Mon, Sep 23, 2019 at 12:28:44PM +0300, Dmitry V. Levin wrote:
> > > On Mon, Sep 23, 2019 at 10:04:15AM +0200, Paul Chaignon wrote:
> > > > On Mon, Sep 23, 2019 at 12:22:09AM +0300, Dmitry V. Levin wrote:
> > > > > On Mon, Sep 23, 2019 at 12:00:54AM +0300, Dmitry V. Levin wrote:
> > > > > > On Sun, Sep 22, 2019 at 10:13:29PM +0200, Paul Chaignon wrote:
> > > > > [...]
> > > > > > > + if (seccomp_filtering) {
> > > > > > > + if ((opt_p && !argc) || debug_flag)
> > > > > >
> > > > > > I think we can avoid introducing opt_p and check nprocs instead.
> > > > > >
> > > > > > > + error_msg("-n is ineffective on processes attached with -p");
> > > > > >
> > > > > > It's not just ineffective, it's not enabled for these processes.
> > > > >
> > > > > Looks like it makes sense to print diagnostics regardless of argc and
> > > > > debug_flag.
> > > >
> > > > Since strace -fn -p $(pidof ...) cmd is a legitimate use of strace and the
> > > > new feature, I thought we might not want to print a warning every single
> > > > time someone uses that command. That's why I switched to a debug message
> > > > when both -p and cmd are used.
> > >
> > > In that case the check should rather be (!argc || debug_flag).
> >
> > Ouch! Yes.
>
> Or even (!argc || (nprocs && debug_flag)).
I went with (nprocs && (!argc || debug_flag)). That way it does not
depend on the order of the argc/nprocs checks.
Paul
More information about the Strace-devel
mailing list