On Fri, Jun 12, 2026 at 10:24 PM Andy Lutomirski <[email protected]> wrote: > > I wonder if It would be reasonable to have the kernel do this on > behalf of the user program that's asking for STRICT. The > implementation would probably be trivial.
I experimented with this approach after the initial AI review, but it turned out surprisingly complex, requiring a decent amount of refactoring to allow installing kernel-resident programs. The filter itself is also rather complex (mostly due to needing to account for BPF jump sizes, which differ as different configs (uprobe, uretprobe, SECCOMP_ARCH_COMPAT) have different logic., and I'd worry about keeping logic synced. If that approach is worth pursuing though, I can submit that version of this patch. - Jamie
