On Wed, Feb 14, 2018 at 8:30 PM, Alexei Starovoitov
wrote:
> On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote:
>> > >
>> > > What's the reason for adding eBPF support? seccomp shouldn't need it,
>> > > and it only makes the code more complex. I'd rather stick with cBPF
>> > > until w
> On Feb 14, 2018, at 8:30 PM, Alexei Starovoitov
> wrote:
>
> On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote:
What's the reason for adding eBPF support? seccomp shouldn't need it,
and it only makes the code more complex. I'd rather stick with cBPF
until we
On Thu, Feb 15, 2018 at 1:30 PM, Alexei Starovoitov
wrote:
> Specifically for android we added bpf_lsm hooks, cookie/uid helpers,
> and read-only maps.
> Lorenzo,
> there was a claim in this thread that bpf is disabled on android.
> Can you please clarify ?
It's not compiled out, at least at the
On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote:
> > >
> > > What's the reason for adding eBPF support? seccomp shouldn't need it,
> > > and it only makes the code more complex. I'd rather stick with cBPF
> > > until we have an overwhelmingly good reason to use eBPF as a "native"
> >
On Wed, Feb 14, 2018 at 05:25:00PM +, Andy Lutomirski wrote:
> On Tue, Feb 13, 2018 at 3:47 PM, Kees Cook wrote:
> > On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
> >> This patchset enables seccomp filters to be written in eBPF. Although,
> >> this patchset doesn't introduce much of
On Tue, Feb 13, 2018 at 3:47 PM, Kees Cook wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although,
>> this patchset doesn't introduce much of the functionality enabled by
>> eBPF, it lays the ground work for it.
>>
seccomp-bpf does not use cBPF but a subset of it. The reason is that it
is meant to reduce the attack surface of the kernel. By limiting the
number of instructions allowed by seccomp-bpf, it really reduce the
possibilities for an attacker to use seccomp-bpf as an entry point to
attack the kernel. M
On Tue, Feb 13, 2018 at 3:16 PM, Kees Cook wrote:
> On Tue, Feb 13, 2018 at 9:31 AM, Sargun Dhillon wrote:
>> On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle wrote:
>>> On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon wrote:
On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
> What's
On Tue, Feb 13, 2018 at 12:16:42PM -0800, Kees Cook wrote:
> If the needs Tycho outlined[1] could be addressed fully with eBPF, and
> we can very narrowly scope the use of the "extra" eBPF features, I
> might be more inclined to merge something like this, but I want to
> take it very carefully. Bes
On 02/13/2018 01:35 PM, Kees Cook wrote:
On Tue, Feb 13, 2018 at 12:33 PM, Tom Hromatka wrote:
On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
This patchset enables seccomp filters to be written in eBPF. Although,
this patchset doesn't introduce much of the functionality enabled by
e
On Tue, Feb 13, 2018 at 12:33 PM, Tom Hromatka wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>>
>> This patchset enables seccomp filters to be written in eBPF. Although,
>> this patchset doesn't introduce much of the functionality enabled by
>> eBPF, it lays the ground work for
On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
This patchset enables seccomp filters to be written in eBPF. Although,
this patchset doesn't introduce much of the functionality enabled by
eBPF, it lays the ground work for it.
It also introduces the capability to dump eBPF filters via the
On Tue, Feb 13, 2018 at 9:31 AM, Sargun Dhillon wrote:
> On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle wrote:
>> On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon wrote:
>>> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
What's the reason for adding eBPF support? seccomp shouldn't nee
On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle wrote:
> On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon wrote:
>> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
>>> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
This patchset enables seccomp filters to be written in eBPF. Alt
On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon wrote:
> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
>> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>>> This patchset enables seccomp filters to be written in eBPF. Although,
>>> this patchset doesn't introduce much of the functio
On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although,
>> this patchset doesn't introduce much of the functionality enabled by
>> eBPF, it lays the ground work for it.
>>
On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
> This patchset enables seccomp filters to be written in eBPF. Although,
> this patchset doesn't introduce much of the functionality enabled by
> eBPF, it lays the ground work for it.
>
> It also introduces the capability to dump eBPF filters
This patchset enables seccomp filters to be written in eBPF. Although,
this patchset doesn't introduce much of the functionality enabled by
eBPF, it lays the ground work for it.
It also introduces the capability to dump eBPF filters via the PTRACE
API in order to make it so that CHECKPOINT_RESTORE
18 matches
Mail list logo
