On Tuesday, January 3, 2017 at 11:01:34 PM UTC+8, Paul Moore wrote: > On Mon, Jan 2, 2017 at 10:01 PM, An Xiao <xxxx> wrote: > > Thanks for your reply! > > I checked my first example, and it did return -22(-EINVAL). Sorry for my > > carelessness. I found this error event was emitted when the program checked > > `chain[arg_num].valid == 0` in `db_col_rule_add()`. So, Is that mean we can > > never set two or more rules for one argument at the same time? > > At present you can only specify one rule per-argument in a > seccomp_rule_add[_*]() call. > > > As for my second example, your suggestion is perfect in that case. But I > > want much more. I'm desirous to limit multiple arguments of one syscall, so > > that the syscall is allowed only when all of its arguments are > > legal(logical AND). However, the current situation is that, the syscall > > will be accepted if any of the rules is satisfied(logical OR). I wonder if > > `seccomp` does not support logical AND natively. Seems that all rules of > > one syscall is added to a chain, and seccomp checks those rules one by one > > at runtime, stops when one rule is satisfied. > > At present all of the argument rules in a single seccomp_rule_add() > call are AND'd together, and multiple seccomp_rule_add() rules are > OR'd together. I am always open to suggestions for new filters/rules, > but the goal for libseccomp isn't to solve *all* filtering problems, > just to make life easier for the majority of application developers > who don't want to have to write their own BPF filters and worry about > all the arch/ABI specifics. There will always be some corner cases > that will require developers to write their own BPF. > > -- > paul moore > www.paul-moore.com
I'll try writing BPF filters later. Thanks a lot for your help and great work. ^_^ -- You received this message because you are subscribed to the Google Groups "libseccomp" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
