On Sun, Jul 1, 2012 at 8:25 AM, Paolo Bonzini <address@hidden> wrote:
Il 18/06/2012 23:53, Corey Bryant ha scritto:
Can each thread have separate seccomp whitelists? For example CPU
threads should not need pretty much anything but the I/O thread needs
I/O.
No, seccomp filters are defined and enforced at the process level.
Perhaps we can add (at the kernel level) a way for seccomp filters to
examine the current tid.
seccomp filters are attached to the task_struct and apply per "thread"
or per process since they both get their own task_structs. (For
Linux, process==thread with shared resources.) Filter programs are
also inherited across clone/fork, so it's possible to install a
"global" filter program which applies which is inherited during thread
creation, then apply per-thread refinements by stacking on additional
filters (at the cost of additional evaluation time).
hth!
will