RFE: Inverse of MASKED_EQ (MASKED_NEQ?)

[cyphar]

This is related to opencontainers/runc#2151. In order to work around #286 and related issues, we have to generate inverse rules for all syscalls specified in our allow list. Unfortunately this is not possible for SCMP_MASKED_EQ because there is no obvious inverse condition.

The way I plan to implement this outside libseccomp is through some pretty awful argument checking logic, but really it should be possible to implement this with a fairly simple BPF instruction to do NEQ after masking the argument rather than EQ.

[pcmoore]

I think we have some basic ideas to address #286, and while those ideas seem like the right way to address the problem it doesn't mean this request doesn't have merit on its own.

@drakenclimber this seems like a reasonable request to me, and shouldn't be too painful, so I'm going to tag it for v2.6.0; if you've got any concerns or objections please shout.

[drakenclimber]

I agree. This is definitely a reasonable request on its own. Thanks for the submission, @cyphar. v2.6.0 sounds like a good initial volley.

Not sure what my schedule looks like in the next few weeks, but I think this sounds like a fun issue to tackle.

[pcmoore]

Not sure what my schedule looks like in the next few weeks, but I think this sounds like a fun issue to tackle.

Sounds good. I went ahead and assigned this to you, feel free to unassign if you don't feel like you can get to it.

Also, unrelated to this issue, we need to give libseccomp-golang some love ...

[drakenclimber]

Also, unrelated to this issue, we need to give libseccomp-golang some love ...

Agreed. I'm thinking this is my priority list for the next month or so:

1. travisci.org -> travisci.com
2. libseccomp golang
3. MASKED_NEG