Hi Andrew, Would you be willing to carry this series? Andy Lutomirski appears happy with it now. (Thanks again for all the feedback Andy!) If so, it has a relatively small merge conflict with the bpf changes living in net-next. Would you prefer I rebase against net-next, let sfr handle it, get carried in net-next, or some other option?
Thanks! -Kees On Thu, May 22, 2014 at 4:05 PM, Kees Cook <keesc...@chromium.org> wrote: > This adds the ability for threads to request seccomp filter > synchronization across their thread group (either at filter attach time > or later). (For example, for Chrome to make sure graphic driver threads > are fully confined after seccomp filters have been attached.) > > To support this, seccomp locking on writes is introduced, along with > refactoring of no_new_privs. Races with thread creation are handled via > the tasklist_list. > > I think all the concerns raised during the discussion[1] of the first > version of this patch have been addressed. However, the races involved > have tricked me before. :) > > Thanks! > > -Kees > > [1] https://lkml.org/lkml/2014/1/13/795 > > v5: > - move includes around (drysdale) > - drop set_nnp return value (luto) > - use smp_load_acquire/store_release (luto) > - merge nnp changes to seccomp always, fewer ifdef (luto) > v4: > - cleaned up locking further, as noticed by David Drysdale > v3: > - added SECCOMP_EXT_ACT_FILTER for new filter install options > v2: > - reworked to avoid clone races > -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
