Re: [libseccomp-discuss] seccomp_rule_add should also have a va_list version
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
From: Paul M. <pm...@re...> - 2013-02-12 20:51:12
|
On Monday, February 11, 2013 09:53:23 PM vi0oss wrote: > > I submitted a patch for this last year: > > http://sourceforge.net/mailarchive/message.php?msg_id=29625574 > > > > At the time I suggested the function name to be vseccomp_rule_add > > (inspired by printf and vprintf). I would do it differently today, > > maybe calling it seccomp_rule_vadd(). > > > > Vitaly, please check out the link posted above; I'm still leaning towards > > passing a struct array as opposed to valist. > > My first patch seems to be equivalent to the first patch in the link > (but with less commands and without documentation). > > My second patch actually adds "array of structs" version (making > _seccomp_rule_add accepting both va_list and array). My apologies, I only looked at the first patch after reading Thiago's comments, I should have kept reading to look at the second. I'll reply in that thread. > But now I see that you can have only 6 rules (can't specify multiple > filters for one arg like "A0>4 && A0<10" like I thought when was > implementing the patch), so the second patch is maybe an overkill. If > the multiple-rules-for-one-arg is going to be implemented someday then > the more generic interface for comparators starts making sence. Anything is possible; I've thought about it but realistically I don't see it happening in the near future unless someone provides a patchset to do it. > P.S. Implemented command-line interface for libseccomp features: > https://github.com/vi/syscall_limiter . It allows user to set seccomp > filter (including comparators) and execve the specified program. It just > uses 6 ifs and seccomp_rule_adds. Thanks for the link. -- paul moore security and virtualization @ redhat |