seccomp filters: Why kill?

Kyle Fazzari kyle.fazzari at
Wed Apr 6 12:25:18 UTC 2016

On 04/05/2016 10:01 AM, Jamie Strandboge wrote:
> On Tue, 2016-04-05 at 08:15 +0200, Didier Roche wrote:
>> Just to add another use case, I got exactly the same issue (with
>> setpriority even! ;)) on ffmepg, where the error is dealt internally in
>> code, but we didn't give it a chance to handle that exception by
>> returning an ERRNO instead of quickly killing it.
>> I think that most of upstream code is handling those kind of try/expect
>> cases and it would be better in case of denials, to let them handling it
>> (maybe their handling will be then exit(1), fine in that case)? This is
>> typically what is used with the new dynamic security permissions on
>> Android for instance.
> I'm inclined to just queue this up in the next launcher upload.
> Gustavo and Martin, please speak up if this should stay as 'KILL' (we can always
> revert the change later if desired).

It would sure make some things easier-- thanks Jamie!

Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the snappy-devel mailing list