On Mon, Jan 2, 2017 at 10:01 PM, An Xiao <[email protected]> wrote: > Thanks for your reply! > I checked my first example, and it did return -22(-EINVAL). Sorry for my > carelessness. I found this error event was emitted when the program checked > `chain[arg_num].valid == 0` in `db_col_rule_add()`. So, Is that mean we can > never set two or more rules for one argument at the same time?
At present you can only specify one rule per-argument in a seccomp_rule_add[_*]() call. > As for my second example, your suggestion is perfect in that case. But I want > much more. I'm desirous to limit multiple arguments of one syscall, so that > the syscall is allowed only when all of its arguments are legal(logical AND). > However, the current situation is that, the syscall will be accepted if any > of the rules is satisfied(logical OR). I wonder if `seccomp` does not support > logical AND natively. Seems that all rules of one syscall is added to a > chain, and seccomp checks those rules one by one at runtime, stops when one > rule is satisfied. At present all of the argument rules in a single seccomp_rule_add() call are AND'd together, and multiple seccomp_rule_add() rules are OR'd together. I am always open to suggestions for new filters/rules, but the goal for libseccomp isn't to solve *all* filtering problems, just to make life easier for the majority of application developers who don't want to have to write their own BPF filters and worry about all the arch/ABI specifics. There will always be some corner cases that will require developers to write their own BPF. -- paul moore www.paul-moore.com -- You received this message because you are subscribed to the Google Groups "libseccomp" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
