Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-03-05 Thread Sargun Dhillon
On Mon, Mar 5, 2018 at 8:10 AM, Tycho Andersen wrote: > Hi Andy, > > On Thu, Mar 01, 2018 at 10:05:47PM +, Andy Lutomirski wrote: >> But Tycho: would hooking user notifiers in right here work for you? >> As I see it, this would be the best justification for seccomp eBPF. > >

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-03-05 Thread Tycho Andersen
Hi Andy, On Thu, Mar 01, 2018 at 10:05:47PM +, Andy Lutomirski wrote: > But Tycho: would hooking user notifiers in right here work for you? > As I see it, this would be the best justification for seccomp eBPF. Sorry for the delay; Sargun had declared on irc that he was going to implement it,

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-03-01 Thread Andy Lutomirski
On Mon, Feb 26, 2018 at 7:27 AM, Sargun Dhillon wrote: > This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant > to be used for seccomp filters as an alternative to cBPF filters. The > program type has relatively limited capabilities in terms of helpers, > but

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-26 Thread Kees Cook
On Mon, Feb 26, 2018 at 8:08 PM, Sargun Dhillon wrote: > On Mon, Feb 26, 2018 at 7:57 PM, Tycho Andersen wrote: >> On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote: >>> On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote: >>> >

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-26 Thread Sargun Dhillon
On Mon, Feb 26, 2018 at 7:57 PM, Tycho Andersen wrote: > On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote: >> On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote: >> > On Mon, Feb 26, 2018 at 07:27:05AM +, Sargun Dhillon wrote: >> >> +config

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-26 Thread Tycho Andersen
On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote: > On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote: > > On Mon, Feb 26, 2018 at 07:27:05AM +, Sargun Dhillon wrote: > >> +config SECCOMP_FILTER_EXTENDED > >> + bool "Extended BPF seccomp filters" > >> +

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-26 Thread Sargun Dhillon
On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote: > On Mon, Feb 26, 2018 at 07:27:05AM +, Sargun Dhillon wrote: >> +config SECCOMP_FILTER_EXTENDED >> + bool "Extended BPF seccomp filters" >> + depends on SECCOMP_FILTER && BPF_SYSCALL >> + depends on

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-26 Thread Tycho Andersen
On Mon, Feb 26, 2018 at 07:27:05AM +, Sargun Dhillon wrote: > +config SECCOMP_FILTER_EXTENDED > + bool "Extended BPF seccomp filters" > + depends on SECCOMP_FILTER && BPF_SYSCALL > + depends on !CHECKPOINT_RESTORE Why not just give -EINVAL or something in case one of these is

[net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

2018-02-25 Thread Sargun Dhillon
This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant to be used for seccomp filters as an alternative to cBPF filters. The program type has relatively limited capabilities in terms of helpers, but that can be extended later on. The eBPF code loading is separated from attachment