APPLIED: [Precise][Pull Request] SECCOMP mode 2, BPF

Tim Gardner rtg.canonical at
Tue Mar 27 02:21:04 UTC 2012

On 03/23/2012 12:14 AM, Kees Cook wrote:
> Hi,
> On Thu, Mar 22, 2012 at 01:43:57PM -0500, Will Drewry wrote:
>> On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner<tim.gardner at>  wrote:
>>> On 03/21/2012 02:35 PM, Kees Cook wrote:
>>>> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
>>>>> Applied for now pending Leann's opinion. I've made a first pass review.
>>>>> Some of it is a bit dense. I'll have another look tomorrow.
>>>> Thanks! I'm happy to field any questions about it, if that helps, and
>>>> if I can't answer them, I'm sure Will can. :)
>>> So I guess it got uploaded. How about a quick description of how to
>>> utilize the seccomp filter?
>>> [...]
>>> In the meantime I guess I'll go read the seccomp patch to the
>>> Documentation directory.
>> If the docs can be made more coherent, I'm more than happy to change them up.
> I've put together a little tutorial (with working code samples) on using
> basic syscall filtering via seccomp filter here:
> -Kees

Kees - I've read through your tutorial. Thanks by the way for that. With 
regard to determining seccomp BPF functionality, do you think its 
sufficient to just test for one or two syscalls ? That will at least 
indicate that the seccomp subsystem is alive and functional. We could 
almost just use your example program for that.

Is there benefit to performing an exhaustive syscall filter test, or are 
all syscalls treated the same ?


P.S. I know I should just go look at the code, but I'm feeling kinda 
lazy tonight.
Tim Gardner tim.gardner at

More information about the kernel-team mailing list