a2fc422ed7
There are two possible scenarios for syscall filtering: - having a trusted/allowed range of PCs, and intercepting everything else - or the opposite: a single untrusted/intercepted range and allowing everything else (this is relevant for any kind of sandboxing scenario, or monitoring behavior of a single library) The current API only allows the former use case due to allowed range wrap-around check. Add PR_SYS_DISPATCH_INCLUSIVE_ON that enables the second use case. Add PR_SYS_DISPATCH_EXCLUSIVE_ON alias for PR_SYS_DISPATCH_ON to make it clear how it's different from the new PR_SYS_DISPATCH_INCLUSIVE_ON. Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/all/97947cc8e205ff49675826d7b0327ef2e2c66eea.1747839857.git.dvyukov@google.com |
||
|---|---|---|
| .. | ||
| tc_act | ||
| bits.h | ||
| bpf.h | ||
| bpf_common.h | ||
| bpf_perf_event.h | ||
| btf.h | ||
| const.h | ||
| elf.h | ||
| erspan.h | ||
| fadvise.h | ||
| fanotify.h | ||
| filter.h | ||
| fs.h | ||
| fscrypt.h | ||
| hw_breakpoint.h | ||
| if_link.h | ||
| if_tun.h | ||
| if_xdp.h | ||
| in.h | ||
| io_uring.h | ||
| kcmp.h | ||
| kvm.h | ||
| memfd.h | ||
| mman.h | ||
| mount.h | ||
| netdev.h | ||
| netlink.h | ||
| nsfs.h | ||
| perf_event.h | ||
| pkt_cls.h | ||
| pkt_sched.h | ||
| prctl.h | ||
| seccomp.h | ||
| seg6.h | ||
| seg6_local.h | ||
| stat.h | ||
| stddef.h | ||
| tcp.h | ||
| tls.h | ||
| types.h | ||
| userfaultfd.h | ||