From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:40406) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SlhfF-0005NG-FE for qemu-devel@nongnu.org; Mon, 02 Jul 2012 10:31:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Slhf9-0004BT-45 for qemu-devel@nongnu.org; Mon, 02 Jul 2012 10:31:45 -0400 Received: from e2.ny.us.ibm.com ([32.97.182.142]:52173) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Slhf9-00049J-06 for qemu-devel@nongnu.org; Mon, 02 Jul 2012 10:31:39 -0400 Received: from /spool/local by e2.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 2 Jul 2012 10:31:33 -0400 Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q62EMeoQ338678 for ; Mon, 2 Jul 2012 10:23:58 -0400 Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q62EM0sh027828 for ; Mon, 2 Jul 2012 08:22:00 -0600 Message-ID: <4FF1AE48.70801@linux.vnet.ibm.com> Date: Mon, 02 Jul 2012 10:20:56 -0400 From: Corey Bryant MIME-Version: 1.0 References: <20120613203305.GC6019@redhat.com> <20120618083335.GD28026@redhat.com> <4FDF479B.9060502@linux.vnet.ibm.com> <4FDFA36E.4010802@linux.vnet.ibm.com> <4FF04FE3.20905@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [RFC] [PATCHv2 2/2] Adding basic calls to libseccomp in vl.c List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Will Drewry , Paolo Bonzini Cc: Blue Swirl , Paul Moore , qemu-devel@nongnu.org, Eduardo Otubo On 07/01/2012 10:18 PM, Will Drewry wrote: > On Sun, Jul 1, 2012 at 8:25 AM, Paolo Bonzini wrote: >> Il 18/06/2012 23:53, Corey Bryant ha scritto: >>>> >>>> Can each thread have separate seccomp whitelists? For example CPU >>>> threads should not need pretty much anything but the I/O thread needs >>>> I/O. >>>> >>> >>> No, seccomp filters are defined and enforced at the process level. >> >> Perhaps we can add (at the kernel level) a way for seccomp filters to >> examine the current tid. Sorry for the confusion. I corrected my statement in a later thread based on Will's input: http://lists.nongnu.org/archive/html/qemu-devel/2012-06/msg03212.html > > seccomp filters are attached to the task_struct and apply per "thread" > or per process since they both get their own task_structs. (For > Linux, process==thread with shared resources.) Filter programs are > also inherited across clone/fork, so it's possible to install a > "global" filter program which applies which is inherited during thread > creation, then apply per-thread refinements by stacking on additional > filters (at the cost of additional evaluation time). > > hth! > will > Thanks! -- Regards, Corey