Support for SECCOMP_FILTER_FLAG_TSYNC #57
Comments
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 6, 2023
- Adds SeccompFlag and SeccompFlagset with initial support for just SyncThreads/SECCOMP_FILTER_FLAG_TSYNC - Adds public functions `seccompiler::apply_filter_all_threads` and `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
4 tasks
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 6, 2023
- Adds SeccompFlag and SeccompFlagset with initial support for just SyncThreads/SECCOMP_FILTER_FLAG_TSYNC - Adds public functions `seccompiler::apply_filter_all_threads` and `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 6, 2023
- Adds SeccompFlag and SeccompFlagset with initial support for just SyncThreads/SECCOMP_FILTER_FLAG_TSYNC - Adds public functions `seccompiler::apply_filter_all_threads` and `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 6, 2023
- Adds SeccompFlag and SeccompFlagset with initial support for just SyncThreads/SECCOMP_FILTER_FLAG_TSYNC - Adds public functions `seccompiler::apply_filter_all_threads` and `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 7, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 7, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 8, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 8, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
boustrophedon
added a commit
to boustrophedon/seccompiler
that referenced
this issue
Sep 11, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves rust-vmm#57 Signed-off-by: Harry Stern <harry@harrystern.net>
petreeftime
pushed a commit
that referenced
this issue
Sep 12, 2023
- Adds public functions `seccompiler::apply_filter_all_threads` and private `apply_filter_with_flags` - Moves the body of apply_filter into apply_filter_with_flags - Uses seccomp call directly in apply_filter, so new Error variant is added. - Error variant also added for TSYNC failures Resolves #57 Signed-off-by: Harry Stern <harry@harrystern.net>
bors
added a commit
to rust-lang/libc
that referenced
this issue
Nov 3, 2023
Move all seccomp consts and structs into top-level mod Move all seccomp consts and structs into top-level mod Seccomp constants and structs were partially defined in the top-level mod.rs for linux and partially outside. This commit moves everything into the top-level mod and adds missing entries as of linux 6.4.12. Resolves #3342 and [rust-vmm/seccompiler#57](rust-vmm/seccompiler#57) I couldn't get main to run libc-test cargo test (even without my changes) with either gcc 13.2.1 or clang 16.0.6. They failed with different errors/warnings.
bors
added a commit
to rust-lang/libc
that referenced
this issue
Nov 4, 2023
Move all seccomp consts and structs into top-level mod Move all seccomp consts and structs into top-level mod Seccomp constants and structs were partially defined in the top-level mod.rs for linux and partially outside. This commit moves everything into the top-level mod and adds missing entries as of linux 6.4.12. Resolves #3342 and [rust-vmm/seccompiler#57](rust-vmm/seccompiler#57) I couldn't get main to run libc-test cargo test (even without my changes) with either gcc 13.2.1 or clang 16.0.6. They failed with different errors/warnings.
bors
added a commit
to rust-lang/libc
that referenced
this issue
Jan 4, 2024
Move all seccomp consts and structs into top-level mod Move all seccomp consts and structs into top-level mod Seccomp constants and structs were partially defined in the top-level mod.rs for linux and partially outside. This commit moves everything into the top-level mod and adds missing entries as of linux 6.4.12. Resolves #3342 and [rust-vmm/seccompiler#57](rust-vmm/seccompiler#57) I couldn't get main to run libc-test cargo test (even without my changes) with either gcc 13.2.1 or clang 16.0.6. They failed with different errors/warnings.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! I'm the author of extrasafe, a Rust wrapper around seccomp (and soon landlock as well, hopefully). I'm looking to switch from libseccomp-rs to seccompiler, mostly to make static compilation easier.
libseccomp supports the SECCOMP_FILTER_FLAG_TSYNC flag, which is a flag you can pass when calling the seccomp syscall directly. It allows you to apply the current seccomp filter to all running threads (TSYNC = thread sync).
Libseccomp achieves this by calling the seccomp syscall directly. It seems that seccompiler uses prctrl to enable seccomp, so in addition to adding a new flag to
seccompiler::apply_filter, it would also need to be modified to call the syscall itself rather than using prctl.If you'd be open to accepting a patch I'd be glad to make it - maybe just extracting the body of apply_filter into a new function
apply_filter_with_flags, changing it to use the seccomp syscall, and then having apply_filter just proxy toapply_filter_with_flagswith empty flags.If you have a better design or don't want to support it at all, that's fine, just let me know!
Just for reference (mostly for me), here's a convenient link to the seccomp syscall manpage
And here's the libseccomp code that calls the seccomp syscall directly, passing in the flags. See the few lines above it for where the flags are set: https://github.com/seccomp/libseccomp/blob/f1c3196d9b95de22dde8f23c5befcbeabef5711c/src/system.c#L414
The text was updated successfully, but these errors were encountered: