> On Jun 25, 2018, at 6:32 PM, Tycho Andersen wrote:
>
>> On Sat, Jun 23, 2018 at 12:27:43AM +0200, Jann Horn wrote:
>>> On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote:
>>>
On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski
wrote:
One possible extra issue: IIRC /proc/.../me
On Sat, Jun 23, 2018 at 12:27:43AM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote:
> >
> > On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski
> > wrote:
> > > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is
> > > not what we want here.
>
> Uuug
On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote:
>
> On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski wrote:
> > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is not
> > what we want here.
Uuugh, I forgot about that.
> > How about just adding an explicit “read/write the
On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski wrote:
> One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is not
> what we want here.
>
> How about just adding an explicit “read/write the seccomp-trapped task’s
> memory” primitive? That should be easier than a “open mem fd”
> On Jun 22, 2018, at 8:15 AM, Tycho Andersen wrote:
>
> Hi Jann,
>
>> On Fri, Jun 22, 2018 at 04:40:20PM +0200, Jann Horn wrote:
>>> On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
>>> This patch introduces a means for syscalls matched in seccomp to notify
>>> some other task that a
On Fri, Jun 22, 2018 at 5:15 PM Tycho Andersen wrote:
>
> Hi Jann,
>
> On Fri, Jun 22, 2018 at 04:40:20PM +0200, Jann Horn wrote:
> > On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> > > This patch introduces a means for syscalls matched in seccomp to notify
> > > some other task that a p
Hi Jann,
On Fri, Jun 22, 2018 at 04:40:20PM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> > This patch introduces a means for syscalls matched in seccomp to notify
> > some other task that a particular filter has been triggered.
> >
> > The motivation for this
On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> This patch introduces a means for syscalls matched in seccomp to notify
> some other task that a particular filter has been triggered.
>
> The motivation for this is primarily for use with containers. For example,
> if a container does an in
On Fri, Jun 22, 2018 at 03:28:24AM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 2:58 AM Tycho Andersen wrote:
> >
> > On Fri, Jun 22, 2018 at 01:21:47AM +0200, Jann Horn wrote:
> > > On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> > > [...]
> > > > +
> > > > +static void seccomp_do_
On Fri, Jun 22, 2018 at 2:58 AM Tycho Andersen wrote:
>
> On Fri, Jun 22, 2018 at 01:21:47AM +0200, Jann Horn wrote:
> > On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> > >
> > > This patch introduces a means for syscalls matched in seccomp to notify
> > > some other task that a particul
On Fri, Jun 22, 2018 at 01:21:47AM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
> >
> > This patch introduces a means for syscalls matched in seccomp to notify
> > some other task that a particular filter has been triggered.
> [...]
> > +Userspace Notification
>
On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote:
>
> This patch introduces a means for syscalls matched in seccomp to notify
> some other task that a particular filter has been triggered.
[...]
> +Userspace Notification
> +==
> +
> +The ``SECCOMP_RET_USER_NOTIF`` return c
This patch introduces a means for syscalls matched in seccomp to notify
some other task that a particular filter has been triggered.
The motivation for this is primarily for use with containers. For example,
if a container does an init_module(), we obviously don't want to load this
untrusted code,
13 matches
Mail list logo