A mechanism for intercepting kernel upcalls

by
corbet
from LWN.net on (#2RD8Z)
Last week, Containers as kernel objectslooked at an attempt to add a formal "container" concept to the kernel,partly as a way of ensuring that kernel upcalls (calls to a user-spaceprogram from inside the kernel) would run inside the correct namespaces.This week, David Howells is back with adifferent approach: a way for a daemon process to intercept and handlespecific key-related upcalls.

In particular, the keyctl() system call is enhanced with aKEYCTL_SERVICE_CREATE command, which returns a special filedescriptor. Subsequent calls can add "filters" describing the upcalls thatshould be intercepted; they are described by name and a set of flagsindicating a set of relevant namespaces. If the calling program'snamespaces match those of a process creating an upcall, that program willbe allowed to handle the call. See the patch posting for a more detaileddescription of how it works.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments