> We're currently working on a feature in chromium that uses pkeys for
> in-process isolation. Being able to use the pkey state in the seccomp
> filter would be pretty useful for this. For example, it would allow
> us to enforce that no code outside the isolated thread would ever
> map/mprotect
On 10/29/2018 11:33 PM, Dave Hansen wrote:
But, that's really an implementation detail. The effect on the ABI and
how this might constrain future pkeys use is my bigger worry.
I'd also want to make sure that your specific use-case is compatible
with all the oddities of pkeys, like the 'clone' a
Am 29.10.2018 um 18:29 schrieb Dave Hansen:
On 10/29/18 9:48 AM, Jann Horn wrote:
On Mon, Oct 29, 2018 at 5:37 PM Dave Hansen wrote:
I'm not sure this is a great use for PKRU. I *think* the basic problem
is that you want to communicate some rights information down into a
filter, and you want
On 10/29/2018 05:48 PM, Ram Pai wrote:
On Mon, Oct 29, 2018 at 09:25:15AM -0700, Kees Cook wrote:
On Mon, Oct 29, 2018 at 4:23 AM, Michael Sammler wrote:
Add the current value of an architecture specific protection keys
register (currently PKRU on x86) to data available for seccomp-bpf
On 10/29/2018 05:48 PM, Jann Horn wrote:
On Mon, Oct 29, 2018 at 5:37 PM Dave Hansen wrote:
On 10/29/18 9:25 AM, Kees Cook wrote:
On Mon, Oct 29, 2018 at 4:23 AM, Michael Sammler wrote:
Add the current value of an architecture specific protection keys
register (currently PKRU on x86) to
ned-off-by: Michael Sammler
---
Changes to the previous version:
- added motivation, notes about POWER, alternative design and benchmark results
to the commit log
- renamed pkru field in seccomp_data to pkeys
- changed size of pkru field to __u64 and removed reserved field
- added test for x86
a
On 10/25/2018 11:12 AM, Florian Weimer wrote:
I understand your concern about exposing the number of protection keys
in the ABI. One idea would be to state, that the pkru field (which
should probably be renamed) contains an architecture specific value,
which could then be the PKRU on x86 and AMR
On 10/24/2018 08:06 PM, Florian Weimer wrote:
* Michael Sammler:
Add the current value of the PKRU register to data available for
seccomp-bpf programs to work on. This allows filters based on the
currently enabled protection keys.
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux
