Add an operation, SECCOMP_CLONE_FILTER, that can copy the seccomp filters from another process to the current process.
Changes from v1 to v2: * Fixed locking issues. Thanks Al, Alexei, and Kees :) * Allow filters to be cloned if CAP_SYS_ADMIN or no new privs is set * I initially had only CAP_SYS_ADMIN, but I can't think of a way no new privs is harmful here, so I added it. Thanks, Kees * Switch to passing in pidfd directly rather than a pointer to a pidfd * This more closely aligns with other pidfd syscalls * Fixed warning in the sample code reported by the test robot * Various cleanups and improvements in the selftest
Note that I left in the restriction that the target process has no seccomp filters already loaded. I could see this limitation being removed in a later patchset, but there are requests for this feature at present.
Finally, I re-ran the performance numbers and updated the patch with the latest numbers. The locking changes significantly sped up the clone operation, and it's now ~1900x faster than the current method.
Tom Hromatka (1): seccomp: Add SECCOMP_CLONE_FILTER operation
.../userspace-api/seccomp_filter.rst | 10 ++ include/uapi/linux/seccomp.h | 1 + kernel/seccomp.c | 48 ++++++ samples/seccomp/.gitignore | 1 + samples/seccomp/Makefile | 2 +- samples/seccomp/clone-filter.c | 150 ++++++++++++++++++ tools/include/uapi/linux/seccomp.h | 1 + tools/testing/selftests/seccomp/seccomp_bpf.c | 114 +++++++++++++ 8 files changed, 326 insertions(+), 1 deletion(-) create mode 100644 samples/seccomp/clone-filter.c