Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and
how it works.
[Posted May 4, 2011 by jake]
| From: |
| "Serge E. Hallyn" <serge-AT-hallyn.com> |
| To: |
| Ingo Molnar <mingo-AT-elte.hu> |
| Subject: |
| Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and
how it works. |
| Date: |
| Thu, 28 Apr 2011 12:43:34 -0500 |
| Message-ID: |
| <20110428174334.GB25940@hallyn.com> |
| Cc: |
| Will Drewry <wad-AT-chromium.org>, linux-kernel-AT-vger.kernel.org,
kees.cook-AT-canonical.com, eparis-AT-redhat.com, agl-AT-chromium.org,
jmorris-AT-namei.org, rostedt-AT-goodmis.org,
Randy Dunlap <rdunlap-AT-xenotime.net>,
Linus Torvalds <torvalds-AT-linux-foundation.org>,
Andrew Morton <akpm-AT-linux-foundation.org>,
Tom Zanussi <tzanussi-AT-gmail.com>,
=?iso-8859-1?Q?Fr=E9d=E9ric?= Weisbecker <fweisbec-AT-gmail.com>,
Arnaldo Carvalho de Melo <acme-AT-redhat.com>,
Peter Zijlstra <a.p.zijlstra-AT-chello.nl>,
Thomas Gleixner <tglx-AT-linutronix.de> |
| Archive‑link: | |
Article |
Quoting Ingo Molnar (mingo@elte.hu):
> I've Cc:-ed Linus and Andrew: are you guys opposed to such flexible, dynamic
> filters conceptually? I think we should really think hard about the actual ABI
> as this could easily spread to more applications than Chrome/Chromium.
We want to use it for containers, to try and provide some bit of
mitigation for the fact that they are sharing a kernel with the host.
thanks,
-serge