libseccomp icon indicating copy to clipboard operation
libseccomp copied to clipboard
verified publisher icon seccomp

RFE: implement range checks

Open topimiettinen opened this issue 8 years ago • 1 comments

Please add support for checking (preferrably multiple and masked) range(s) of values. For example in systemd (https://github.com/systemd/systemd/pull/6256) we'd like to construct a filter which only allows personality(2) with following use cases:

personality(0xffffffff) to query personality personality(PER_LINUX) (or personality(PER_LINUX32)) for effectively no change to current personality

while blocking all other cases.

This could be implemented with new (optionally masked and/or negated) compare operations with multiple ranges complemented with a negative check: SCMP_CMP_MASKED_INRANGE, SCMP_CMP_MASKED_NOTINRANGE, SCMP_CMP_INRANGE and SCMP_CMP_NOTINRANGE.

#44 may be related.

topimiettinen avatar Sep 10 '17 10:09 topimiettinen

In an effort to get v2.6.0 out sooner than later, I'm going to suggest we push this out to v2.7.0; if you have any concerns or objections please drop a comment.

pcmoore avatar Jan 07 '24 00:01 pcmoore