|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2021-04-09 13:58:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] Seccomp user-space notification and signals
The seccomp()
mechanism allows the imposition of a filter program (expressed in "classic" BPF)
that makes policy decisions on whether to allow each system call invoked by the target
process. The user-space notification
feature further allows those decisions to be deferred to another
process. As this recent
patch set from Sargun Dhillon shows, though, user-space notification
still has some rough edges, especially when it comes to signals. This
patch makes a simple change to try to address a rather complex problem
brought to the fore by changes in the Go language's preemption model.
The seccomp()
mechanism allows the imposition of a filter program (expressed in "classic" BPF)
that makes policy decisions on whether to allow each system call invoked by the target
process. The user-space notification
feature further allows those decisions to be deferred to another
process. As this recent
patch set from Sargun Dhillon shows, though, user-space notification
still has some rough edges, especially when it comes to signals. This
patch makes a simple change to try to address a rather complex problem
brought to the fore by changes in the Go language's preemption model.
