Re: seccomp: Delay filter activation

2021-03-19 Thread Christian Brauner
On Thu, Mar 18, 2021 at 08:39:13PM +, Sargun Dhillon wrote: > On Thu, Mar 18, 2021 at 03:54:54PM +0100, Christian Brauner wrote: > > Sorry, I just found that mail. > > > > On Mon, Mar 01, 2021 at 03:44:06PM -0800, Kees Cook wrote: > > > On Mon, Mar 01, 2021 at 02:21:56PM +0100, Christian

Re: seccomp: Delay filter activation

2021-03-19 Thread Rodrigo Campos
On Thu, Mar 18, 2021 at 9:39 PM Sargun Dhillon wrote: > I believe that the OCI spec[2] is going to run into this class of problem > unless > we introduce an out of band signaling mechanism. I think a valid way to handle > this is do a send() of the fd number (literal), and wait for the other

Re: seccomp: Delay filter activation

2021-03-18 Thread Sargun Dhillon
On Thu, Mar 18, 2021 at 03:54:54PM +0100, Christian Brauner wrote: > Sorry, I just found that mail. > > On Mon, Mar 01, 2021 at 03:44:06PM -0800, Kees Cook wrote: > > On Mon, Mar 01, 2021 at 02:21:56PM +0100, Christian Brauner wrote: > > > On Mon, Mar 01, 2021 at 12:09:09PM +0100, Christian

Re: seccomp: Delay filter activation

2021-03-18 Thread Christian Brauner
Sorry, I just found that mail. On Mon, Mar 01, 2021 at 03:44:06PM -0800, Kees Cook wrote: > On Mon, Mar 01, 2021 at 02:21:56PM +0100, Christian Brauner wrote: > > On Mon, Mar 01, 2021 at 12:09:09PM +0100, Christian Brauner wrote: > > > On Sat, Feb 20, 2021 at 01:31:57AM -0800, Sargun Dhillon

Re: seccomp: Delay filter activation

2021-03-01 Thread Kees Cook
On Mon, Mar 01, 2021 at 02:21:56PM +0100, Christian Brauner wrote: > On Mon, Mar 01, 2021 at 12:09:09PM +0100, Christian Brauner wrote: > > On Sat, Feb 20, 2021 at 01:31:57AM -0800, Sargun Dhillon wrote: > > > We've run into a problem where attaching a filter can be quite messy > > > business

Re: seccomp: Delay filter activation

2021-03-01 Thread Christian Brauner
On Mon, Mar 01, 2021 at 12:09:09PM +0100, Christian Brauner wrote: > On Sat, Feb 20, 2021 at 01:31:57AM -0800, Sargun Dhillon wrote: > > We've run into a problem where attaching a filter can be quite messy > > business because the filter itself intercepts sendmsg, and other > > syscalls related to

Re: seccomp: Delay filter activation

2021-03-01 Thread Christian Brauner
On Sat, Feb 20, 2021 at 01:31:57AM -0800, Sargun Dhillon wrote: > We've run into a problem where attaching a filter can be quite messy > business because the filter itself intercepts sendmsg, and other > syscalls related to exfiltrating the listener FD. I believe that this > problem set has been

seccomp: Delay filter activation

2021-02-20 Thread Sargun Dhillon
We've run into a problem where attaching a filter can be quite messy business because the filter itself intercepts sendmsg, and other syscalls related to exfiltrating the listener FD. I believe that this problem set has been brought up before, and although there are "simpler" methods of