Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
RFE: seccomp() syscall and TSYNC flag support never configured #20
Comments
pcmoore
changed the title from
tsync support never configured
to
RFE: seccomp() syscall and TSYNC flag support never configured
Nov 11, 2015
pcmoore
added
the
enhancement
label
Nov 11, 2015
|
As noted in the autoconfigure script, this functionality was added but disabled pending further testing. |
pcmoore
modified the milestone:
v2.3
Feb 9, 2016
pcmoore
self-assigned this
Feb 9, 2016
|
I've enabled the seccomp() syscall, a thread sync as a result, in a1f144a, but additional testing is needed on the different platforms due to the nature of the implementation. |
|
See commit 08a682a. We've had enough testing that I'm reasonably confident in considering this issue resolved. |
pcmoore
closed this
Feb 26, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
justincormack commentedNov 10, 2015
Currently the tsync support is wrapped with HAVE_SECCOMP but there is actually no configure test, perhaps as no existing libc has the seccomp call available.
However it would be perfectly normal to just call seccomp(2) with syscall() as glibc policy seems to be mostly not to expose specialist syscalls at all.
In which case the library could attempt to use syscall(SYS_seccomp, ...) if tsync was set, and fail the filter load if not, rather than just having a tsync option which is not usable even if supported by the kernel.
This behaviour would seem more useful as tsync support is quite widespread, and it is important for many applications. Otherwise the Go libseccomp wrapper should have a warning saying always use
runtime.LockOSThread()if you use this library or filtering may not be applied to the calls you expect.