On Wed, Sep 09, 2015 at 04:44:24PM -0700, Andy Lutomirski wrote: > On Wed, Sep 9, 2015 at 3:34 PM, Tycho Andersen > <tycho.ander...@canonical.com> wrote: > > > > Here's a thought, > > > > The set I'm currently proposing effectively separates the ref-counting > > of the struct seccomp_filter from the struct bpf_prog (by necessity, > > since we're referring to filters from fds). What if we went a little > > futher, and made a copy of each seccomp_filter on fork(), keeping it > > pointed at the same bpf_prog but adding some metadata about how it was > > inherited (tsk->seccomp.filter->inheritence_count++ perhaps). This > > would still require this change: > > Won't that break the tsync mechanism?
We'll need the change I posted (is_ancestor comparing the underlying bpf_prog instead of the seccomp_filter), but then I think it'll work. I guess we'll need to do some more bookkeeping when we install filters via TSYNC since each thread would need its own seccomp_filter, and we'd also have to decide whether a filter installed via TSYNC was inherited or not. Am I missing something? Tycho -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
