diff options
author | Tycho Andersen <tycho@tycho.ws> | 2018-12-09 19:24:14 +0100 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2018-12-12 01:32:11 +0100 |
commit | fec7b6690541b8128663a13c9586b1daf42b0a6c (patch) | |
tree | c5f07046f22b36ef62ff7cc02511acd0ace8ce9f /samples/seccomp/.gitignore | |
parent | seccomp: add a return code to trap to userspace (diff) | |
download | linux-fec7b6690541b8128663a13c9586b1daf42b0a6c.tar.xz linux-fec7b6690541b8128663a13c9586b1daf42b0a6c.zip |
samples: add an example of seccomp user trap
The idea here is just to give a demonstration of how one could safely use
the SECCOMP_RET_USER_NOTIF feature to do mount policies. This particular
policy is (as noted in the comment) not very interesting, but it serves to
illustrate how one might apply a policy dodging the various TOCTOU issues.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
CC: Kees Cook <keescook@chromium.org>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Oleg Nesterov <oleg@redhat.com>
CC: Eric W. Biederman <ebiederm@xmission.com>
CC: "Serge E. Hallyn" <serge@hallyn.com>
CC: Christian Brauner <christian@brauner.io>
CC: Tyler Hicks <tyhicks@canonical.com>
CC: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'samples/seccomp/.gitignore')
-rw-r--r-- | samples/seccomp/.gitignore | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/samples/seccomp/.gitignore b/samples/seccomp/.gitignore index 78fb78184291..d1e2e817d556 100644 --- a/samples/seccomp/.gitignore +++ b/samples/seccomp/.gitignore @@ -1,3 +1,4 @@ bpf-direct bpf-fancy dropper +user-trap |