git.kernel.dk Git - linux-2.6-block.git/commit

author	Dmitry Vyukov <dvyukov@google.com>
	Wed, 21 May 2025 15:04:29 +0000 (17:04 +0200)
committer	Thomas Gleixner <tglx@linutronix.de>
	Fri, 13 Jun 2025 16:36:39 +0000 (18:36 +0200)
commit	a2fc422ed75748eef2985454e97847fb22f873c2
tree	811388d91b3d50b1b65b3b7230174de8a36448ce	tree
parent	b89732c8c8357487185f260a723a060b3476144e	commit \| diff

syscall_user_dispatch: Add PR_SYS_DISPATCH_INCLUSIVE_ON

There are two possible scenarios for syscall filtering:
- having a trusted/allowed range of PCs, and intercepting everything else
- or the opposite: a single untrusted/intercepted range and allowing
everything else (this is relevant for any kind of sandboxing scenario,
or monitoring behavior of a single library)

The current API only allows the former use case due to allowed
range wrap-around check. Add PR_SYS_DISPATCH_INCLUSIVE_ON that
enables the second use case.

Add PR_SYS_DISPATCH_EXCLUSIVE_ON alias for PR_SYS_DISPATCH_ON
to make it clear how it's different from the new
PR_SYS_DISPATCH_INCLUSIVE_ON.

Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/97947cc8e205ff49675826d7b0327ef2e2c66eea.1747839857.git.dvyukov@google.com

Documentation/admin-guide/syscall-user-dispatch.rst		diff \| blob \| blame \| history
include/uapi/linux/prctl.h		diff \| blob \| blame \| history
kernel/entry/syscall_user_dispatch.c		diff \| blob \| blame \| history
tools/include/uapi/linux/prctl.h		diff \| blob \| blame \| history