On 04/10/2016 01:46, Kees Cook wrote: > On Wed, Sep 14, 2016 at 6:19 PM, Andy Lutomirski wrote: >> On Wed, Sep 14, 2016 at 3:14 PM, Mickaël Salaün wrote: >>> >>> On 14/09/2016 20:29, Andy Lutomirski wrote: >>>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote: >>>>> This third origin of hook call should cover all possible trigger paths >>>>> (e.g. page fault). Landlock eBPF programs can then take decisions >>>>> accordingly. >>>>> >>>>> Signed-off-by: Mickaël Salaün >>>>> Cc: Alexei Starovoitov >>>>> Cc: Andy Lutomirski >>>>> Cc: Daniel Borkmann >>>>> Cc: Kees Cook >>>>> --- >>>> >>>> >>>>> >>>>> + if (unlikely(in_interrupt())) { >>>> >>>> IMO security hooks have no business being called from interrupts. >>>> Aren't they all synchronous things done by tasks? Interrupts are >>>> driver things. >>>> >>>> Are you trying to check for page faults and such? >>> >>> Yes, that was the idea you did put in my mind. Not sure how to deal with >>> this. >>> >> >> It's not so easy, unfortunately. The easiest reliable way might be to >> set a TS_ flag on all syscall entries when TIF_SECCOMP or similar is >> set. > > For making this series smaller, let's leave the idea idea of interrupt > hooks out -- the intention is for stricter syscall filtering, yes? > > Once things are more well established and there's a use-case for this, > it can be added back in. Right, I'm no more convinced it's worth it.