| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2011 11:28:41 -0400 From: Colin Walters <walters@...bum.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Kees Cook <kees.cook@...onical.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <peterz@...radead.org>, Will Drewry <wad@...omium.org>, Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On Thu, May 26, 2011 at 11:03 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Thu, May 26, 2011 at 7:37 AM, Colin Walters <walters@...bum.org> wrote: >> >> I'm curious which features you feel are esoteric and cool but unused? > > Just about anything linux-specific. Ranging from the totally new > concepts (epoll/clone/splice/signalfd) to just simple cleanups and > extensions of reasonably standard stuff (sync_file_range/sendpage). epoll's very widely used via frameworks I'd say; at least the Apache runtime uses it, libevent does, and apparently the Sun JDK does: http://www.google.com/codesearch/p?hl=en#ih5hvYJNSIA/src/solaris/classes/sun/nio/ch/EPollPort.java&q=epoll&sa=N&cd=32&ct=rc And here's an entry on that: http://blogs.oracle.com/alanb/entry/epoll (Why doesn't glib? It's hard since the priority design was kind of a mistake: https://bugzilla.gnome.org/show_bug.cgi?id=156048 ) > The "it can be used in standard libraries" ends up being a very > powerful thing. It doesn't have to be libc - if something like a glib > or a big graphical interface uses them, they can get very popular. Right, that's the distinction I was trying to make. > But > if you have to have actual config options (autoconf or similar) to > enable the feature on Linux, along with a compatibility case (because > older kernels don't even support it, so it's not even "linux", it's > "linux newer than xyz"), then very very few applications end up using > it. >From my experience as a framework developer, it hasn't been hard at all to keep track of new Linux features, we talk about them a lot =) The fallback code is often obvious, like for splice(), though for signalfd it's going to much more messy to keep around the legacy helper thread case. > Unlikely? Hell no. That's standard practice. And if you allow filter > setup that survives fork+exec, you just opened a HUGE security hole. Oh definitely, setuid and process inheritance has been a source of many problems over the years, and I agree it'd be very dangerous for the syscall filters to stay open across execve. Of course in practice glibc secure mode exists to mitigate these things too; it could abort if one was in place in that case. But I was more curious about your views on Linux-specific interfaces, and you answered that; thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists