On Fri, Jan 28, 2022 at 4:42 PM Daniel P. Berrangé <berra...@redhat.com> wrote: > > Hi Eduardo, > > You acked this series, but going through my old git branches I > just discovered that this never got merged. I guess I was assuming > you had queued it for a future PULL when you acked it. > > I don't mind sending a pull request myself if you've no objections.
I don't mind at all. Thanks for letting me know! I might have missed it somehow. Thank you! > > On Wed, Aug 04, 2021 at 10:05:38AM +0200, Eduardo Terrell Ferrari Otubo wrote: > > On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote: > > > Blocking the 'fork' syscall on Linux is not sufficient to block the > > > 'fork' C library function, because the latter is essentially always > > > implemented using the 'clone' syscall these days. > > > > > > Blocking 'clone' is difficult as that also blocks pthread creation, > > > so it needs careful filtering. > > > > > > Daniel P. Berrangé (5): > > > seccomp: allow action to be customized per syscall > > > seccomp: add unit test for seccomp filtering > > > seccomp: fix blocking of process spawning > > > seccomp: block use of clone3 syscall > > > seccomp: block setns, unshare and execveat syscalls > > > > > > MAINTAINERS | 1 + > > > softmmu/qemu-seccomp.c | 282 +++++++++++++++++++++++++++++------- > > > -- > > > tests/unit/meson.build | 4 + > > > tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++ > > > 4 files changed, 490 insertions(+), 66 deletions(-) > > > create mode 100644 tests/unit/test-seccomp.c > > > > > > -- > > > 2.31.1 > > > > > > > > > > Acked-by: Eduardo Otubo <ot...@redhat.com> > > > > -- > > Eduardo Otubo > > > > > > > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| >