Dear friends,
this patch series adds support for nested seccomp listeners. It allows container runtimes and other sandboxing software to install seccomp listeners on top of existing ones, which is useful for nested LXC containers and other similar use-cases.
Expecting potential discussions around this patch series, I'm going to present a talk at LPC 2025 about the design and implementation details of this feature [1].
Git tree (based on for-next/seccomp): v3: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners.v3 current: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners
Changelog for version 3: - almost completely rewritten (no static array on the stack, no nesting limit) - more testcases
Changelog for version 2: - add some explanatory comments - add RWB tags from Tycho Andersen (thanks, Tycho! ;) ) - CC-ed Aleksa as he might be interested in this stuff too
Links to previous versions: v2: https://lore.kernel.org/all/20251202115200.110646-1-aleksandr.mikhalitsyn@ca... tree: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners.v2 v1: https://lore.kernel.org/all/20251201122406.105045-1-aleksandr.mikhalitsyn@ca... tree: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners.v1
Link: https://lpc.events/event/19/contributions/2241/ [1]
Cc: linux-doc@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: bpf@vger.kernel.org Cc: Kees Cook kees@kernel.org Cc: Andy Lutomirski luto@amacapital.net Cc: Will Drewry wad@chromium.org Cc: Jonathan Corbet corbet@lwn.net Cc: Shuah Khan shuah@kernel.org Cc: Aleksa Sarai cyphar@cyphar.com Cc: Tycho Andersen tycho@tycho.pizza Cc: Andrei Vagin avagin@gmail.com Cc: Christian Brauner brauner@kernel.org Cc: Stéphane Graber stgraber@stgraber.org
Alexander Mikhalitsyn (7): seccomp: remove unused argument from seccomp_do_user_notification seccomp: use bitfields for boolean flags on seccomp_filter struct seccomp: keep track of seccomp filters with closed listeners seccomp: mark first listener in the tree seccomp: handle multiple listeners case seccomp: allow nested listeners tools/testing/selftests/seccomp: test nested listeners
.../userspace-api/seccomp_filter.rst | 6 + include/linux/seccomp.h | 3 +- include/uapi/linux/seccomp.h | 13 +- kernel/seccomp.c | 129 +++++++- tools/include/uapi/linux/seccomp.h | 13 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 303 ++++++++++++++++++ 6 files changed, 438 insertions(+), 29 deletions(-)