-
Tycho Andersen authored
This commit adds basic support for dumping and restoring seccomp filters via the new ptrace interface. There are two current known limitations with this approach: 1. This approach doesn't support restoring tasks who first do a seccomp() and then a setuid(); the test elaborates on this and I don't think it is tough to do, but it is not done yet. 2. Filters are compared via memcmp(), so two tasks which have the same parent task and install identical (via memory) filters will have those filters considered to be the "same". Since we force all tasks to have the same creds (including seccomp filters) right now, this isn't a problem. The approach used here is very similar to the cgroup approach: the actual filters are stored in a seccomp.img, and each task has an id that points to the part of the filter tree it needs to restore. This keeps us from dumping the same filter multiple times, since filters are inherited on fork. v2: * remove unused seccomp_filters field from struct rst_info * rework memory layout for passing filters to restorer blob * add a sanity check when finding inherited filters Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
221af18e
