Re: [libseccomp-discuss] [RFC PATCH v1 3/3] tests: add python versions of the existing tests
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
From: Paul M. <pm...@re...> - 2012-10-24 19:11:08
|
On Wednesday, October 24, 2012 02:22:56 PM Daniel J Walsh wrote: > > f.add_rule_exactly(ALLOW, "read", Arg(0, Arg.EQ, sys.stdin.fileno())); + > > f.add_rule_exactly(ALLOW, "write", Arg(0, Arg.EQ, sys.stdout.fileno())); + > > f.add_rule_exactly(ALLOW, "write", Arg(0, Arg.EQ, sys.stderr.fileno())); > > I will give you sys.stderr and you change it to fileno, not me. Thanks for taking a look and sending your comments. I think the problem here is that these are syscall arguments, which are scalar values by definition, and putting code in the Python binding/shim to translate every possible Python object into the correct scalar value for seccomp seems like a loosing battle, especially when the caller can usually do it in such a trivial manner. I might be convinced to do it for a few special cases, file objects, being one of them, if you could point me to a Python example that demonstrates type specific behavior, for example: if (type(object) == FILE_OBJECT) fd = object.fileno() else (type(object) == SCALAR) fd = object else eject(mailman) > I don't like Arg.EQ, I would prefer EQ, and maybe make this the default? Sure, I can move EQ and friends up to the top level of the module, no problem there. As for making it the default, I'm tempted to leave it as is since I think it makes more sense with all three arguments being explicit; after all, a comparison takes three items: a variable to compare, a comparison operator, and a value to compare against. > BTW You can probably do most of this in your python code. (__init__.py) You lost me here, can you elaborate? -- paul moore security and virtualization @ redhat |