|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2021-05-31 15:49:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] eBPF seccomp() filters
The seccomp()
mechanism allows a process to load a BPF program to restrict its future use
of system calls; it is a simple but flexible sandboxing mechanism that is
widely used. Those filter programs, though, run on the "classic" BPF virtual
machine, rather than the extended BPF
(eBPF) machine used elsewhere in the
kernel. Moving seccomp() to eBPF has been an often-requested
change, but security concerns have prevented that from happening. The
latest attempt to enable eBPF is this patch
set from YiFei Zhu; whether it will succeed where others have failed
remains to be seen.
The seccomp()
mechanism allows a process to load a BPF program to restrict its future use
of system calls; it is a simple but flexible sandboxing mechanism that is
widely used. Those filter programs, though, run on the "classic" BPF virtual
machine, rather than the extended BPF
(eBPF) machine used elsewhere in the
kernel. Moving seccomp() to eBPF has been an often-requested
change, but security concerns have prevented that from happening. The
latest attempt to enable eBPF is this patch
set from YiFei Zhu; whether it will succeed where others have failed
remains to be seen.
