Re: [net-next v3 0/2] eBPF seccomp filters

2018-03-01 Thread Sargun Dhillon
On Thu, Mar 1, 2018 at 1:59 PM, Andy Lutomirski wrote: > On Thu, Mar 1, 2018 at 9:51 PM, Sargun Dhillon wrote: >> On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote: >>> On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann

Re: [net-next v3 0/2] eBPF seccomp filters

2018-03-01 Thread Andy Lutomirski
On Thu, Mar 1, 2018 at 9:51 PM, Sargun Dhillon wrote: > On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote: >> On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann >> wrote: >>> On 02/28/2018 12:55 AM, chris hyser wrote: > On

Re: [net-next v3 0/2] eBPF seccomp filters

2018-03-01 Thread Daniel Borkmann
On 03/01/2018 06:44 PM, Andy Lutomirski wrote: > On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote: >> On 02/28/2018 12:55 AM, chris hyser wrote: On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, chris hyser wrote: >> On 02/27/2018

Re: [net-next v3 0/2] eBPF seccomp filters

2018-03-01 Thread Sargun Dhillon
On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote: > On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote: >> On 02/28/2018 12:55 AM, chris hyser wrote: On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, chris

Re: [net-next v3 0/2] eBPF seccomp filters

2018-03-01 Thread Andy Lutomirski
On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote: > On 02/28/2018 12:55 AM, chris hyser wrote: >>> On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, >>> chris hyser wrote: > On 02/27/2018 11:00 AM, Kees Cook wrote: >> On Tue, Feb 27,

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-28 Thread chris hyser
On 02/28/2018 02:56 PM, Daniel Borkmann wrote: On 02/28/2018 12:55 AM, chris hyser wrote: If you're implying that because seccomp would have it's own verifier and could therefore restrict itself to a subset of eBPF, therefore any future additions/features to eBPF would not necessarily make

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-28 Thread Daniel Borkmann
On 02/28/2018 12:55 AM, chris hyser wrote: >> On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, >> chris hyser wrote: On 02/27/2018 11:00 AM, Kees Cook wrote: > On Tue, Feb 27, 2018 at 6:53 AM, chris hyser > wrote: >> On

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread chris hyser
On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, chris hyser wrote: On 02/27/2018 11:00 AM, Kees Cook wrote: On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote: On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19 PM, Andy

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 11:10 PM, Mickaël Salaün wrote: > > On 27/02/2018 05:54, Andy Lutomirski wrote: >> >> >>> On Feb 26, 2018, at 8:38 PM, Kees Cook wrote: >>> >>> On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski >>> wrote:

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Mickaël Salaün
On 27/02/2018 05:54, Andy Lutomirski wrote: > > >> On Feb 26, 2018, at 8:38 PM, Kees Cook wrote: >> >> On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote: On Feb 26, 2018, at 3:20 PM, Kees Cook wrote: On

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread chris hyser
On 02/27/2018 04:58 PM, Daniel Borkmann wrote: On 02/27/2018 05:59 PM, chris hyser wrote: On 02/27/2018 11:00 AM, Kees Cook wrote: On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote: On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19 PM, Andy

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Daniel Borkmann
On 02/27/2018 05:59 PM, chris hyser wrote: > On 02/27/2018 11:00 AM, Kees Cook wrote: >> On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote: >>> On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote:

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread chris hyser
On 02/27/2018 02:19 PM, Kees Cook wrote: On Tue, Feb 27, 2018 at 8:59 AM, chris hyser wrote: I will try to find that discussion. As someone pointed out here though, eBPF A good starting point might be this: https://lwn.net/Articles/441232/ Thanks. A fair amount of

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Kees Cook
On Tue, Feb 27, 2018 at 8:59 AM, chris hyser wrote: > On 02/27/2018 11:00 AM, Kees Cook wrote: >> >> On Tue, Feb 27, 2018 at 6:53 AM, chris hyser >> wrote: >>> >>> On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread chris hyser
On 02/27/2018 11:00 AM, Kees Cook wrote: On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote: On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote: 3. Straight-up bugs. Those are exactly as problematic

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Kees Cook
On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote: > On 02/26/2018 11:38 PM, Kees Cook wrote: >> >> On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski >> wrote: >>> >>> 3. Straight-up bugs. Those are exactly as problematic as verifier >>> bugs in any

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread chris hyser
On 02/26/2018 11:38 PM, Kees Cook wrote: On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote: 3. Straight-up bugs. Those are exactly as problematic as verifier bugs in any other unprivileged eBPF program type, right? I don't see why seccomp is special here. My

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-27 Thread Daniel Borkmann
On 02/27/2018 01:01 AM, Sargun Dhillon wrote: > On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov > wrote: >> On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: >>> This patchset enables seccomp filters to be written in eBPF. Although, this >>>

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Andy Lutomirski
> On Feb 26, 2018, at 8:38 PM, Kees Cook wrote: > > On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote: >>> On Feb 26, 2018, at 3:20 PM, Kees Cook wrote: >>> >>> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov >>>

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Kees Cook
On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote: >> On Feb 26, 2018, at 3:20 PM, Kees Cook wrote: >> >> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov >> wrote: On Mon, Feb 26, 2018 at 07:26:54AM +,

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Andy Lutomirski
> On Feb 26, 2018, at 3:20 PM, Kees Cook wrote: > > On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov > wrote: >>> On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: >>> This patchset enables seccomp filters to be written in

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Tycho Andersen
On Mon, Feb 26, 2018 at 07:46:19PM -0800, Sargun Dhillon wrote: > On Mon, Feb 26, 2018 at 5:01 PM, Tycho Andersen wrote: > > On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote: > >> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov > >>

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Sargun Dhillon
On Mon, Feb 26, 2018 at 5:01 PM, Tycho Andersen wrote: > On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote: >> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov >> wrote: >> > On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote:

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Tycho Andersen
On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote: > On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov > wrote: > > On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: > >> This patchset enables seccomp filters to be written in eBPF. Although,

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Sargun Dhillon
On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov wrote: > On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: >> This patchset enables seccomp filters to be written in eBPF. Although, this >> patchset doesn't introduce much of the functionality enabled

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Kees Cook
On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov wrote: > On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: >> This patchset enables seccomp filters to be written in eBPF. Although, this >> [...] > The main statement I want to hear from seccomp

Re: [net-next v3 0/2] eBPF seccomp filters

2018-02-26 Thread Alexei Starovoitov
On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote: > This patchset enables seccomp filters to be written in eBPF. Although, this > patchset doesn't introduce much of the functionality enabled by eBPF, it lays > the ground work for it. Currently, you have to disable CHECKPOINT_RESTORE

[net-next v3 0/2] eBPF seccomp filters

2018-02-25 Thread Sargun Dhillon
This patchset enables seccomp filters to be written in eBPF. Although, this patchset doesn't introduce much of the functionality enabled by eBPF, it lays the ground work for it. Currently, you have to disable CHECKPOINT_RESTORE support in order to utilize eBPF seccomp filters, as eBPF filters