On Sun, Jul 1, 2012 at 8:25 AM, Paolo Bonzini <pbonz...@redhat.com> wrote: > Il 18/06/2012 23:53, Corey Bryant ha scritto: >>> >>> Can each thread have separate seccomp whitelists? For example CPU >>> threads should not need pretty much anything but the I/O thread needs >>> I/O. >>> >> >> No, seccomp filters are defined and enforced at the process level. > > Perhaps we can add (at the kernel level) a way for seccomp filters to > examine the current tid.
seccomp filters are attached to the task_struct and apply per "thread" or per process since they both get their own task_structs. (For Linux, process==thread with shared resources.) Filter programs are also inherited across clone/fork, so it's possible to install a "global" filter program which applies which is inherited during thread creation, then apply per-thread refinements by stacking on additional filters (at the cost of additional evaluation time). hth! will
