On Fri, Jun 12, 2026 at 3:02 PM clubby789 <[email protected]> wrote: > > On Fri, Jun 12, 2026 at 10:24 PM Andy Lutomirski <[email protected]> wrote: > > > > I wonder if It would be reasonable to have the kernel do this on > > behalf of the user program that's asking for STRICT. The > > implementation would probably be trivial. > > I experimented with this approach after the initial AI review, but it > turned out surprisingly complex, > requiring a decent amount of refactoring to allow installing > kernel-resident programs.
Maybe so. But there is a function bpf_prog_create (as opposed to bpf_prog_create_from_user). > The filter > itself is also rather complex (mostly due to needing to account for > BPF jump sizes, which differ > as different configs (uprobe, uretprobe, SECCOMP_ARCH_COMPAT) have > different logic., and I'd worry about > keeping logic synced. Perhaps you and your AI could elaborate? What are these jump sizes? In any case, I think the actual issue is that the STRICT filter's failure case doesn't quite correspond to any of the FILTER actions. So maybe it's too complex to be worthwhile. --Andy
