-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Inverse of MASKED_EQ (MASKED_NEQ?) #310
Comments
I think we have some basic ideas to address #286, and while those ideas seem like the right way to address the problem it doesn't mean this request doesn't have merit on its own. @drakenclimber this seems like a reasonable request to me, and shouldn't be too painful, so I'm going to tag it for v2.6.0; if you've got any concerns or objections please shout. |
I agree. This is definitely a reasonable request on its own. Thanks for the submission, @cyphar. v2.6.0 sounds like a good initial volley. Not sure what my schedule looks like in the next few weeks, but I think this sounds like a fun issue to tackle. |
Sounds good. I went ahead and assigned this to you, feel free to unassign if you don't feel like you can get to it. Also, unrelated to this issue, we need to give libseccomp-golang some love ... |
Agreed. I'm thinking this is my priority list for the next month or so:
|
This is related to opencontainers/runc#2151. In order to work around #286 and related issues, we have to generate inverse rules for all syscalls specified in our allow list. Unfortunately this is not possible for
SCMP_MASKED_EQ
because there is no obvious inverse condition.The way I plan to implement this outside libseccomp is through some pretty awful argument checking logic, but really it should be possible to implement this with a fairly simple BPF instruction to do
NEQ
after masking the argument rather thanEQ
.The text was updated successfully, but these errors were encountered: