On Wed, Mar 9, 2016 at 1:05 PM, Chris Metcalf <[email protected]> wrote: > On 3/9/2016 3:58 PM, Andy Lutomirski wrote: >>> >>> My preference would be not to have to require all task-isolation users >>> >to also figure out all the complexities of creating BPF programs, so >>> >my intention is to have task isolation automatically generate a BPF >>> >program (just allowing prctl/exit/exit_group and failing everything >>> >else with SIGSYS). To support having it work this way, I open up >>> >the seccomp stuff a little so that kernel clients can effectively >>> >push/pop a BPF program into seccomp: >> >> That sounds like a great use case for the new libtaskisolation that >> someone is surely writing:) > > > Happily, task isolation is so simple an API that all that is needed is a > prctl(). > > ... Unless somehow a requirement to inflict a huge blob of eBPF into the > kernel > just to use task isolation safely is added, of course :-) >
BPF, not eBPF. Also, it's a tiny blob. And this still has nothing to do with using it safely. This has to do with catching your own bugs. --Andy > > -- > Chris Metcalf, Mellanox Technologies > http://www.mellanox.com > -- Andy Lutomirski AMA Capital Management, LLC
