Add an operation, SECCOMP_CLONE_FILTER, that can copy the seccomp
filters from another process to the current process.
Changes from v1 to v2:
* Fixed locking issues. Thanks Al, Alexei, and Kees :)
* Allow filters to be cloned if CAP_SYS_ADMIN or no new privs
is set
* I initially had only CAP_SYS_ADMIN, but I can't think of a
way no new privs is harmful here, so I added it. Thanks, Kees
* Switch to passing in pidfd directly rather than a pointer to a
pidfd
* This more closely aligns with other pidfd syscalls
* Fixed warning in the sample code reported by the test robot
* Various cleanups and improvements in the selftest
Note that I left in the restriction that the target process
has no seccomp filters already loaded. I could see this
limitation being removed in a later patchset, but there are
requests for this feature at present.
Finally, I re-ran the performance numbers and updated the patch
with the latest numbers. The locking changes significantly sped
up the clone operation, and it's now ~1900x faster than the
current method.
Tom Hromatka (1):
seccomp: Add SECCOMP_CLONE_FILTER operation
.../userspace-api/seccomp_filter.rst | 10 ++
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 48 ++++++
samples/seccomp/.gitignore | 1 +
samples/seccomp/Makefile | 2 +-
samples/seccomp/clone-filter.c | 150 ++++++++++++++++++
tools/include/uapi/linux/seccomp.h | 1 +
tools/testing/selftests/seccomp/seccomp_bpf.c | 114 +++++++++++++
8 files changed, 326 insertions(+), 1 deletion(-)
create mode 100644 samples/seccomp/clone-filter.c
--
2.47.3
