Issue 901411 link

Starred by 0 users

Issue metadata

Status:	Available
Owner:	----
Components:	OS>Systems>Minijail
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Feature

support multiple filters per syscall

Project Member Reported by vapier@chromium.org, Nov 2

Issue description

this came up in https://chromium-review.googlesource.com/1310174:
- socket(AF_UNIX) is OK for syslog
- socket(AF_INET) is probed by gRPC libs and there isn't a way to disable it easily

so ideally we'd have a filter like:
socket: arg0 == AF_UNIX
socket: arg0 == AF_INET; return EINVAL

minijail currently disallows more than one filter per syscall:
minijail0: libminijail[185716]: duplicate label: '41_success'
minijail0: libminijail[185716]: failed to compile seccomp filter BPF program in 'foo.policy'

►

Issue 901411 link

Issue metadata

support multiple filters per syscall

Issue description

Sign in to add a comment