From: Jamie Lokier <jamie@shareable.org>
To: Will Drewry <wad@chromium.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, torvalds@linux-foundation.org,
segoon@openwall.com, jmorris@namei.org, scarybeasts@gmail.com,
avi@redhat.com, penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk,
luto@mit.edu, mingo@elte.hu, akpm@linux-foundation.org,
khilman@ti.com, borislav.petkov@amd.com, amwang@redhat.com,
oleg@redhat.com, ak@linux.intel.com, eric.dumazet@gmail.com,
gregkh@suse.de, dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com
Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF
Date: Thu, 12 Jan 2012 17:22:41 +0000 [thread overview]
Message-ID: <20120112172241.GJ7180@jl-vm1.vm.bytemark.co.uk> (raw)
In-Reply-To: <CABqD9hbOUy1qO0f+JFitRXH6c5EgLTWOh5eGdo8dTxeXJ40h2g@mail.gmail.com>
Will Drewry wrote:
> On Thu, Jan 12, 2012 at 9:43 AM, Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Wed, 2012-01-11 at 11:25 -0600, Will Drewry wrote:
> >
> >> Filter programs may _only_ cross the execve(2) barrier if last filter
> >> program was attached by a task with CAP_SYS_ADMIN capabilities in its
> >> user namespace. Once a task-local filter program is attached from a
> >> process without privileges, execve will fail. This ensures that only
> >> privileged parent task can affect its privileged children (e.g., setuid
> >> binary).
> >
> > This means that a non privileged user can not run another program with
> > limited features? How would a process exec another program and filter
> > it? I would assume that the filter would need to be attached first and
> > then the execv() would be performed. But after the filter is attached,
> > the execv is prevented?
>
> Yeah - it means tasks can filter themselves, but not each other.
> However, you can inject a filter for any dynamically linked executable
> using LD_PRELOAD.
>
> > Maybe I don't understand this correctly.
>
> You're right on. This was to ensure that one process didn't cause
> crazy behavior in another. I think Alan has a better proposal than
> mine below. (Goes back to catching up.)
You can already use ptrace() to cause crazy behaviour in another
process, including modifying registers arbitrarily at syscall entry
and exit, aborting and emulating syscalls.
ptrace() is quite slow and it would be really nice to speed it up,
especially for trapping a small subset of syscalls, or limiting some
kinds of access to some file descriptors, while everything else runs
at normal speed.
Speeding up ptrace() with BPF filters would be a really nice. Not
that I like ptrace(), but sometimes it's the only thing you can rely on.
LD_PRELOAD and code running in the target process address space can't
always be trusted in some contexts (e.g. the target process may modify
the tracing code or its data); whereas ptrace() is pretty complete and
reliable, if ugly.
There's already a security model around who can use ptrace(); speeding
it up needn't break that.
If we'd had BPF ptrace in the first place, SECCOMP wouldn't have been
needed as userspace could have done it, with exactly the restrictions
it wants. Google's NaCl comes to mind as a potential user.
-- Jamie
WARNING: multiple messages have this Message-ID (diff)
From: Jamie Lokier <jamie@shareable.org>
To: Will Drewry <wad@chromium.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, torvalds@linux-foundation.org,
segoon@openwall.com, jmorris@namei.org, scarybeasts@gmail.com,
avi@redhat.com, penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk,
luto@mit.edu, mingo@elte.hu, akpm@linux-foundation.org,
khilman@ti.com, borislav.petkov@amd.com, amwang@redhat.com,
oleg@redhat.com, ak@linux.intel.com, eric.dumazet@gmail.com,
gregkh@suse.de, dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com
Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF
Date: Thu, 12 Jan 2012 17:22:41 +0000 [thread overview]
Message-ID: <20120112172241.GJ7180@jl-vm1.vm.bytemark.co.uk> (raw)
In-Reply-To: <CABqD9hbOUy1qO0f+JFitRXH6c5EgLTWOh5eGdo8dTxeXJ40h2g@mail.gmail.com>
Will Drewry wrote:
> On Thu, Jan 12, 2012 at 9:43 AM, Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Wed, 2012-01-11 at 11:25 -0600, Will Drewry wrote:
> >
> >> Filter programs may _only_ cross the execve(2) barrier if last filter
> >> program was attached by a task with CAP_SYS_ADMIN capabilities in its
> >> user namespace. Once a task-local filter program is attached from a
> >> process without privileges, execve will fail. This ensures that only
> >> privileged parent task can affect its privileged children (e.g., setuid
> >> binary).
> >
> > This means that a non privileged user can not run another program with
> > limited features? How would a process exec another program and filter
> > it? I would assume that the filter would need to be attached first and
> > then the execv() would be performed. But after the filter is attached,
> > the execv is prevented?
>
> Yeah - it means tasks can filter themselves, but not each other.
> However, you can inject a filter for any dynamically linked executable
> using LD_PRELOAD.
>
> > Maybe I don't understand this correctly.
>
> You're right on. This was to ensure that one process didn't cause
> crazy behavior in another. I think Alan has a better proposal than
> mine below. (Goes back to catching up.)
You can already use ptrace() to cause crazy behaviour in another
process, including modifying registers arbitrarily at syscall entry
and exit, aborting and emulating syscalls.
ptrace() is quite slow and it would be really nice to speed it up,
especially for trapping a small subset of syscalls, or limiting some
kinds of access to some file descriptors, while everything else runs
at normal speed.
Speeding up ptrace() with BPF filters would be a really nice. Not
that I like ptrace(), but sometimes it's the only thing you can rely on.
LD_PRELOAD and code running in the target process address space can't
always be trusted in some contexts (e.g. the target process may modify
the tracing code or its data); whereas ptrace() is pretty complete and
reliable, if ugly.
There's already a security model around who can use ptrace(); speeding
it up needn't break that.
If we'd had BPF ptrace in the first place, SECCOMP wouldn't have been
needed as userspace could have done it, with exactly the restrictions
it wants. Google's NaCl comes to mind as a potential user.
-- Jamie
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-01-12 18:00 UTC|newest]
Thread overview: 409+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-11 17:25 [RFC,PATCH 0/2] dynamic seccomp policies (using BPF filters) Will Drewry
2012-01-11 17:25 ` [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-12 8:53 ` Serge Hallyn
2012-01-12 16:54 ` Will Drewry
2012-01-12 16:54 ` Will Drewry
2012-01-12 14:50 ` Oleg Nesterov
2012-01-12 16:55 ` Will Drewry
2012-01-12 16:55 ` Will Drewry
2012-01-12 15:43 ` Steven Rostedt
2012-01-12 16:14 ` Oleg Nesterov
2012-01-12 16:38 ` Steven Rostedt
2012-01-12 16:47 ` Oleg Nesterov
2012-01-12 17:08 ` Will Drewry
2012-01-12 17:08 ` Will Drewry
2012-01-12 17:30 ` Jamie Lokier
2012-01-12 17:40 ` Steven Rostedt
2012-01-12 17:44 ` Jamie Lokier
2012-01-12 17:56 ` Steven Rostedt
2012-01-12 23:27 ` Alan Cox
2012-01-12 23:38 ` Linus Torvalds
2012-01-12 22:18 ` Will Drewry
2012-01-12 22:18 ` Will Drewry
2012-01-12 23:00 ` Andrew Lutomirski
2012-01-12 23:00 ` Andrew Lutomirski
2012-01-12 16:14 ` Andrew Lutomirski
2012-01-12 16:14 ` Andrew Lutomirski
2012-01-12 16:27 ` Steven Rostedt
2012-01-12 16:51 ` Andrew Lutomirski
2012-01-12 16:51 ` Andrew Lutomirski
2012-01-12 17:09 ` Linus Torvalds
2012-01-12 17:17 ` Steven Rostedt
2012-01-12 18:18 ` Andrew Lutomirski
2012-01-12 18:32 ` Linus Torvalds
2012-01-12 18:32 ` Linus Torvalds
2012-01-12 18:44 ` Andrew Lutomirski
2012-01-12 19:08 ` Kyle Moffett
2012-01-12 19:08 ` Kyle Moffett
2012-01-12 23:05 ` Eric Paris
2012-01-12 23:33 ` Andrew Lutomirski
2012-01-12 23:33 ` Andrew Lutomirski
2012-01-12 19:40 ` Will Drewry
2012-01-12 19:40 ` Will Drewry
2012-01-12 19:42 ` Will Drewry
2012-01-12 19:42 ` Will Drewry
2012-01-12 19:46 ` Andrew Lutomirski
2012-01-12 19:46 ` Andrew Lutomirski
2012-01-12 20:00 ` Linus Torvalds
2012-01-12 20:00 ` Linus Torvalds
2012-01-12 16:59 ` Will Drewry
2012-01-12 16:59 ` Will Drewry
2012-01-12 17:22 ` Jamie Lokier [this message]
2012-01-12 17:22 ` Jamie Lokier
2012-01-12 17:35 ` Will Drewry
2012-01-12 17:57 ` Jamie Lokier
2012-01-12 17:57 ` Jamie Lokier
2012-01-12 18:03 ` Will Drewry
2012-01-12 18:03 ` Will Drewry
2012-01-13 1:34 ` Jamie Lokier
2012-01-13 2:44 ` Indan Zupancic
2012-01-13 6:33 ` Chris Evans
2012-01-13 6:33 ` Chris Evans
2012-01-12 17:36 ` Jamie Lokier
2012-01-12 16:18 ` Alan Cox
2012-01-12 17:03 ` Will Drewry
2012-01-12 17:03 ` Will Drewry
2012-01-12 17:11 ` Alan Cox
2012-01-12 17:52 ` Will Drewry
2012-01-12 17:52 ` Will Drewry
2012-01-13 1:31 ` James Morris
2012-01-12 16:22 ` Oleg Nesterov
2012-01-12 17:10 ` Will Drewry
2012-01-12 17:23 ` Oleg Nesterov
2012-01-12 17:23 ` Oleg Nesterov
2012-01-12 17:51 ` Will Drewry
2012-01-12 17:51 ` Will Drewry
2012-01-13 17:31 ` Oleg Nesterov
2012-01-13 17:31 ` Oleg Nesterov
2012-01-13 19:01 ` Will Drewry
2012-01-13 19:01 ` Will Drewry
2012-01-13 23:10 ` Will Drewry
2012-01-13 23:10 ` Will Drewry
2012-01-13 23:12 ` Will Drewry
2012-01-13 23:12 ` Will Drewry
2012-01-13 23:30 ` Eric Paris
2012-01-15 3:40 ` Indan Zupancic
2012-01-16 1:40 ` Will Drewry
2012-01-16 6:49 ` Indan Zupancic
2012-01-16 20:12 ` Will Drewry
2012-01-17 6:46 ` Indan Zupancic
2012-01-17 17:37 ` Will Drewry
2012-01-18 4:06 ` Indan Zupancic
2012-01-18 4:38 ` Will Drewry
2012-01-17 20:34 ` Kees Cook
2012-01-17 20:42 ` Will Drewry
2012-01-17 21:09 ` Will Drewry
2012-01-18 4:47 ` Indan Zupancic
2012-01-16 18:37 ` Oleg Nesterov
2012-01-16 18:37 ` Oleg Nesterov
2012-01-16 20:15 ` Will Drewry
2012-01-16 20:15 ` Will Drewry
2012-01-17 16:45 ` Oleg Nesterov
2012-01-17 16:56 ` Will Drewry
2012-01-17 16:56 ` Will Drewry
2012-01-17 17:01 ` Andrew Lutomirski
2012-01-17 17:01 ` Andrew Lutomirski
2012-01-17 17:05 ` Oleg Nesterov
2012-01-17 17:45 ` Andrew Lutomirski
2012-01-17 17:45 ` Andrew Lutomirski
2012-01-18 0:56 ` Compat 32-bit syscall entry from 64-bit task!? [was: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF] Indan Zupancic
2012-01-18 1:01 ` Andrew Lutomirski
2012-01-18 1:01 ` Andrew Lutomirski
2012-01-19 1:06 ` Indan Zupancic
2012-01-19 1:06 ` Indan Zupancic
2012-01-19 1:19 ` Andrew Lutomirski
2012-01-19 1:47 ` Indan Zupancic
2012-01-18 1:07 ` Roland McGrath
2012-01-18 1:47 ` Indan Zupancic
2012-01-18 1:48 ` Jamie Lokier
2012-01-18 1:50 ` Andi Kleen
2012-01-18 2:00 ` Steven Rostedt
2012-01-18 2:04 ` Jamie Lokier
2012-01-18 2:22 ` Andi Kleen
2012-01-18 2:22 ` Andi Kleen
2012-01-18 2:25 ` Andrew Lutomirski
2012-01-18 4:22 ` Indan Zupancic
2012-01-18 4:22 ` Indan Zupancic
2012-01-18 5:23 ` Linus Torvalds
2012-01-18 5:23 ` Linus Torvalds
2012-01-18 6:25 ` Linus Torvalds
2012-01-18 6:25 ` Linus Torvalds
2012-01-18 13:12 ` Compat 32-bit syscall entry from 64-bit task!? Indan Zupancic
2012-01-18 13:12 ` Indan Zupancic
2012-01-18 19:31 ` Linus Torvalds
2012-01-18 19:31 ` Linus Torvalds
2012-01-18 19:36 ` Andi Kleen
2012-01-18 19:36 ` Andi Kleen
2012-01-18 19:39 ` Linus Torvalds
2012-01-18 19:39 ` Linus Torvalds
2012-01-18 19:44 ` Andi Kleen
2012-01-18 19:44 ` Andi Kleen
2012-01-18 19:47 ` Linus Torvalds
2012-01-18 19:47 ` Linus Torvalds
2012-01-18 19:52 ` Will Drewry
2012-01-18 19:52 ` Will Drewry
2012-01-18 19:58 ` Will Drewry
2012-01-18 19:58 ` Will Drewry
2012-01-18 19:41 ` Martin Mares
2012-01-18 19:41 ` Martin Mares
2012-01-18 19:38 ` Andrew Lutomirski
2012-01-18 19:38 ` Andrew Lutomirski
2012-01-19 16:01 ` Jamie Lokier
2012-01-19 16:01 ` Jamie Lokier
2012-01-19 16:13 ` Andrew Lutomirski
2012-01-19 16:13 ` Andrew Lutomirski
2012-01-19 19:21 ` Linus Torvalds
2012-01-19 19:21 ` Linus Torvalds
2012-01-19 19:30 ` Andrew Lutomirski
2012-01-19 19:30 ` Andrew Lutomirski
2012-01-19 19:37 ` Linus Torvalds
2012-01-19 19:37 ` Linus Torvalds
2012-01-19 19:41 ` Linus Torvalds
2012-01-19 19:41 ` Linus Torvalds
2012-01-19 23:54 ` Jamie Lokier
2012-01-19 23:54 ` Jamie Lokier
2012-01-20 0:05 ` Linus Torvalds
2012-01-20 0:05 ` Linus Torvalds
2012-01-20 15:35 ` Will Drewry
2012-01-20 15:35 ` Will Drewry
2012-01-20 17:56 ` Roland McGrath
2012-01-20 17:56 ` Roland McGrath
2012-01-20 19:45 ` Will Drewry
2012-01-20 19:45 ` Will Drewry
2012-01-18 20:26 ` Linus Torvalds
2012-01-18 20:26 ` Linus Torvalds
2012-01-18 20:55 ` H. Peter Anvin
2012-01-18 20:55 ` H. Peter Anvin
2012-01-18 21:01 ` Linus Torvalds
2012-01-18 21:01 ` Linus Torvalds
2012-01-18 21:04 ` H. Peter Anvin
2012-01-18 21:04 ` H. Peter Anvin
2012-01-18 21:21 ` H. Peter Anvin
2012-01-18 21:21 ` H. Peter Anvin
2012-01-18 21:51 ` Roland McGrath
2012-01-18 21:51 ` Roland McGrath
2012-01-18 21:53 ` H. Peter Anvin
2012-01-18 21:53 ` H. Peter Anvin
2012-01-18 23:28 ` Linus Torvalds
2012-01-18 23:28 ` Linus Torvalds
2012-01-19 0:38 ` H. Peter Anvin
2012-01-19 0:38 ` H. Peter Anvin
2012-01-20 21:51 ` Denys Vlasenko
2012-01-20 21:51 ` Denys Vlasenko
2012-01-20 22:40 ` Roland McGrath
2012-01-20 22:40 ` Roland McGrath
2012-01-20 22:41 ` H. Peter Anvin
2012-01-20 22:41 ` H. Peter Anvin
2012-01-20 23:49 ` Indan Zupancic
2012-01-20 23:49 ` Indan Zupancic
2012-01-20 23:55 ` Roland McGrath
2012-01-20 23:55 ` Roland McGrath
2012-01-20 23:58 ` hpanvin@gmail.com
2012-01-20 23:58 ` hpanvin@gmail.com
2012-01-23 2:14 ` Indan Zupancic
2012-01-23 2:14 ` Indan Zupancic
2012-01-21 0:07 ` Denys Vlasenko
2012-01-21 0:07 ` Denys Vlasenko
2012-01-21 0:10 ` Roland McGrath
2012-01-21 0:10 ` Roland McGrath
2012-01-21 1:23 ` Jamie Lokier
2012-01-21 1:23 ` Jamie Lokier
2012-01-23 2:37 ` Indan Zupancic
2012-01-23 2:37 ` Indan Zupancic
2012-01-23 16:48 ` Oleg Nesterov
2012-01-23 16:48 ` Oleg Nesterov
2012-01-24 8:19 ` Indan Zupancic
2012-01-24 8:19 ` Indan Zupancic
2012-02-06 20:30 ` H. Peter Anvin
2012-02-06 20:30 ` H. Peter Anvin
2012-02-06 20:39 ` Roland McGrath
2012-02-06 20:39 ` Roland McGrath
2012-02-06 20:42 ` H. Peter Anvin
2012-02-06 20:42 ` H. Peter Anvin
2012-01-18 21:26 ` Linus Torvalds
2012-01-18 21:26 ` Linus Torvalds
2012-01-18 21:30 ` H. Peter Anvin
2012-01-18 21:30 ` H. Peter Anvin
2012-01-18 21:42 ` Linus Torvalds
2012-01-18 21:42 ` Linus Torvalds
2012-01-18 21:47 ` H. Peter Anvin
2012-01-18 21:47 ` H. Peter Anvin
2012-01-19 1:45 ` Indan Zupancic
2012-01-19 1:45 ` Indan Zupancic
2012-01-19 2:16 ` H. Peter Anvin
2012-01-19 2:16 ` H. Peter Anvin
2012-02-06 8:32 ` Indan Zupancic
2012-02-06 8:32 ` Indan Zupancic
2012-02-06 17:02 ` H. Peter Anvin
2012-02-06 17:02 ` H. Peter Anvin
2012-02-07 1:52 ` Indan Zupancic
2012-02-07 1:52 ` Indan Zupancic
2012-02-09 0:19 ` H. Peter Anvin
2012-02-09 0:19 ` H. Peter Anvin
2012-02-09 4:20 ` Indan Zupancic
2012-02-09 4:20 ` Indan Zupancic
2012-02-09 4:29 ` H. Peter Anvin
2012-02-09 4:29 ` H. Peter Anvin
2012-02-09 6:03 ` Indan Zupancic
2012-02-09 6:03 ` Indan Zupancic
2012-02-09 14:47 ` H. Peter Anvin
2012-02-09 14:47 ` H. Peter Anvin
2012-02-09 16:00 ` H.J. Lu
2012-02-09 16:00 ` H.J. Lu
2012-02-10 1:09 ` Indan Zupancic
2012-02-10 1:09 ` Indan Zupancic
2012-02-10 1:15 ` H. Peter Anvin
2012-02-10 1:15 ` H. Peter Anvin
2012-02-10 2:29 ` Indan Zupancic
2012-02-10 2:29 ` Indan Zupancic
2012-02-10 2:47 ` H. Peter Anvin
2012-02-10 2:47 ` H. Peter Anvin
[not found] ` <cc95fcf4b1c28ee6f73e373d04593634.squirrel@webmail.greenhost.nl>
2012-02-10 15:53 ` H. Peter Anvin
2012-02-10 15:53 ` H. Peter Anvin
2012-02-10 22:42 ` Indan Zupancic
2012-02-10 22:42 ` Indan Zupancic
2012-02-10 22:56 ` H. Peter Anvin
2012-02-10 22:56 ` H. Peter Anvin
2012-02-12 12:07 ` Indan Zupancic
2012-02-12 12:07 ` Indan Zupancic
2012-01-25 19:36 ` Oleg Nesterov
2012-01-25 19:36 ` Oleg Nesterov
2012-01-25 20:20 ` Pedro Alves
2012-01-25 20:20 ` Pedro Alves
2012-01-25 23:36 ` Denys Vlasenko
2012-01-25 23:36 ` Denys Vlasenko
2012-01-25 23:32 ` Denys Vlasenko
2012-01-25 23:32 ` Denys Vlasenko
2012-01-26 0:40 ` Indan Zupancic
2012-01-26 0:40 ` Indan Zupancic
2012-01-26 1:08 ` Jamie Lokier
2012-01-26 1:08 ` Jamie Lokier
2012-01-26 1:22 ` Denys Vlasenko
2012-01-26 1:22 ` Denys Vlasenko
2012-01-26 6:34 ` Indan Zupancic
2012-01-26 6:34 ` Indan Zupancic
2012-01-26 10:31 ` Jamie Lokier
2012-01-26 10:31 ` Jamie Lokier
2012-01-26 10:40 ` Denys Vlasenko
2012-01-26 10:40 ` Denys Vlasenko
2012-01-26 11:01 ` Jamie Lokier
2012-01-26 11:01 ` Jamie Lokier
2012-01-26 14:02 ` Denys Vlasenko
2012-01-26 14:02 ` Denys Vlasenko
2012-01-26 11:19 ` Indan Zupancic
2012-01-26 11:19 ` Indan Zupancic
2012-01-26 11:20 ` Indan Zupancic
2012-01-26 11:20 ` Indan Zupancic
2012-01-26 11:47 ` Jamie Lokier
2012-01-26 11:47 ` Jamie Lokier
2012-01-26 14:05 ` Denys Vlasenko
2012-01-26 14:05 ` Denys Vlasenko
2012-01-27 7:23 ` Indan Zupancic
2012-01-27 7:23 ` Indan Zupancic
2012-02-10 2:02 ` Jamie Lokier
2012-02-10 2:02 ` Jamie Lokier
2012-02-10 3:37 ` Indan Zupancic
2012-02-10 3:37 ` Indan Zupancic
2012-02-10 21:19 ` Denys Vlasenko
2012-02-10 21:19 ` Denys Vlasenko
2012-01-26 1:09 ` Denys Vlasenko
2012-01-26 1:09 ` Denys Vlasenko
2012-01-26 3:47 ` Linus Torvalds
2012-01-26 3:47 ` Linus Torvalds
2012-01-26 18:03 ` Denys Vlasenko
2012-01-26 18:03 ` Denys Vlasenko
2017-03-08 23:41 ` Dmitry V. Levin
2017-03-08 23:41 ` Dmitry V. Levin
2017-03-09 4:39 ` Andrew Lutomirski
2017-03-09 4:39 ` Andrew Lutomirski
2017-03-14 2:57 ` Dmitry V. Levin
2017-03-14 2:57 ` Dmitry V. Levin
2012-01-26 5:57 ` Indan Zupancic
2012-01-26 5:57 ` Indan Zupancic
2012-01-26 0:59 ` Jamie Lokier
2012-01-26 0:59 ` Jamie Lokier
2012-01-26 1:21 ` Denys Vlasenko
2012-01-26 1:21 ` Denys Vlasenko
2012-01-26 8:23 ` Pedro Alves
2012-01-26 8:23 ` Pedro Alves
2012-01-26 8:53 ` Denys Vlasenko
2012-01-26 8:53 ` Denys Vlasenko
2012-01-26 9:51 ` Pedro Alves
2012-01-26 9:51 ` Pedro Alves
2012-01-26 18:44 ` Oleg Nesterov
2012-01-26 18:44 ` Oleg Nesterov
2012-02-10 2:51 ` Jamie Lokier
2012-02-10 2:51 ` Jamie Lokier
2012-01-18 15:04 ` Compat 32-bit syscall entry from 64-bit task!? [was: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF] Eric Paris
2012-01-18 15:04 ` Eric Paris
2012-01-18 17:51 ` Linus Torvalds
2012-01-18 17:51 ` Linus Torvalds
2012-01-18 5:43 ` Chris Evans
2012-01-18 5:43 ` Chris Evans
2012-01-18 12:12 ` Indan Zupancic
2012-01-18 12:12 ` Indan Zupancic
2012-01-18 21:13 ` Chris Evans
2012-01-18 21:13 ` Chris Evans
2012-01-19 0:14 ` Indan Zupancic
2012-01-19 0:14 ` Indan Zupancic
2012-01-19 8:16 ` Chris Evans
2012-01-19 8:16 ` Chris Evans
2012-01-19 11:34 ` Indan Zupancic
2012-01-19 11:34 ` Indan Zupancic
2012-01-19 16:11 ` Jamie Lokier
2012-01-19 16:11 ` Jamie Lokier
2012-01-19 15:40 ` Jamie Lokier
2012-01-19 15:40 ` Jamie Lokier
2012-01-18 17:00 ` Oleg Nesterov
2012-01-18 17:00 ` Oleg Nesterov
2012-01-18 17:12 ` Oleg Nesterov
2012-01-18 17:12 ` Oleg Nesterov
2012-01-18 21:09 ` Chris Evans
2012-01-18 21:09 ` Chris Evans
2012-01-23 16:56 ` Oleg Nesterov
2012-01-23 16:56 ` Oleg Nesterov
2012-01-23 22:23 ` Chris Evans
2012-01-23 22:23 ` Chris Evans
2012-02-07 11:45 ` Indan Zupancic
2012-02-07 11:45 ` Indan Zupancic
2012-01-19 0:29 ` Indan Zupancic
2012-01-19 0:29 ` Indan Zupancic
2012-01-18 2:27 ` Linus Torvalds
2012-01-18 2:27 ` Linus Torvalds
2012-01-18 2:31 ` Andi Kleen
2012-01-18 2:31 ` Andi Kleen
2012-01-18 2:46 ` Linus Torvalds
2012-01-18 2:46 ` Linus Torvalds
2012-01-18 14:06 ` Martin Mares
2012-01-18 14:06 ` Martin Mares
2012-01-18 18:24 ` Andi Kleen
2012-01-18 18:24 ` Andi Kleen
2012-01-19 16:04 ` Jamie Lokier
2012-01-19 16:04 ` Jamie Lokier
2012-01-20 0:21 ` Indan Zupancic
2012-01-20 0:21 ` Indan Zupancic
2012-01-20 0:53 ` Linus Torvalds
2012-01-20 0:53 ` Linus Torvalds
2012-01-20 2:02 ` Indan Zupancic
2012-01-20 2:02 ` Indan Zupancic
2012-01-17 17:06 ` [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-17 17:06 ` Will Drewry
2012-01-17 19:35 ` Will Drewry
2012-01-17 19:35 ` Will Drewry
2012-01-12 17:02 ` Andrew Lutomirski
2012-01-12 17:02 ` Andrew Lutomirski
2012-01-16 20:28 ` Will Drewry
2012-01-16 20:28 ` Will Drewry
2012-01-11 17:25 ` [RFC,PATCH 2/2] Documentation: prctl/seccomp_filter Will Drewry
2012-01-11 20:03 ` Jonathan Corbet
2012-01-11 20:10 ` Will Drewry
2012-01-11 20:10 ` Will Drewry
2012-01-11 23:19 ` [PATCH v2 " Will Drewry
2012-01-12 0:29 ` Will Drewry
2012-01-12 0:29 ` Will Drewry
2012-01-12 18:16 ` Randy Dunlap
2012-01-12 17:23 ` Will Drewry
2012-01-12 17:34 ` Steven Rostedt
2012-01-12 13:13 ` [RFC,PATCH " Łukasz Sowa
2012-01-12 17:25 ` Will Drewry
2012-01-12 17:25 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120112172241.GJ7180@jl-vm1.vm.bytemark.co.uk \
--to=jamie@shareable.org \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.