1. 24 Jun, 2015 1 commit
    • Tycho Andersen's avatar
      seccomp: add initial support for SECCOMP_MODE_STRICT · 0d8aec0c
      Tycho Andersen authored
      Unfortunately, SECCOMP_MODE_FILTER is not currently exposed to userspace,
      so we can't checkpoint that. In any case, this is what we need to do for
      SECCOMP_MODE_STRICT, so let's do it.
      
      This patch works by first disabling seccomp for any processes who are going
      to have seccomp filters restored, then restoring the process (including the
      seccomp filters), and finally resuming the seccomp filters before detaching
      from the process.
      
      v2 changes:
      
      * update for kernel patch v2
      * use protobuf enum for seccomp type
      * don't parse /proc/pid/status twice
      
      v3 changes:
      
      * get rid of extra CR_STAGE_SECCOMP_SUSPEND stage
      * only suspend seccomp in finalize_restore(), just before the unmap
      * restore the (same) seccomp state in threads too; also add a note about
        how this is slightly wrong, and that we should at least check for a
        mismatch
      Signed-off-by: 's avatarTycho Andersen <tycho.andersen@canonical.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      0d8aec0c
  2. 19 Jun, 2015 2 commits
  3. 16 Jun, 2015 6 commits
  4. 15 Jun, 2015 8 commits
  5. 11 Jun, 2015 9 commits
  6. 08 Jun, 2015 14 commits