Hi, Not too long ago we introduced the v2 seccomp policy format, which allows for blacklists. One problem with blacklists is that on a newer kernel there may be new syscalls which shouldn't be trusted.
So I'd like to introduce a max-syscall-number option, so that any higher syscall number will be also blacklisted. This is actually efficient to do with a SCMP_CMP_GT comparison added to a rule. I'm wondering how this is best specified. There are a few otions: 1. if we think this is the only comparison rule we'll frequently want, we could extend the policy language so that 2 blacklist maxno 500 finit_module errno 1 Would mean that anything higher than 500 would be blacklisted. 2. We could define seccomp policy format version 3, which allows more general rules, like 3 blacklist finit_module errno 1 GT 500 errno 1 LT 3 kill Preferences? Other ideas? _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
