| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87k0ua26gm.fsf@oldenburg2.str.redhat.com>
Date: Tue, 24 Nov 2020 15:08:09 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Christoph Hellwig <hch@...radead.org>
Cc: linux-api@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, dev@...ncontainers.org,
corbet@....net, Carlos O'Donell <carlos@...hat.com>
Subject: Re: [PATCH] syscalls: Document OCI seccomp filter interactions &
workaround
* Christoph Hellwig:
> On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote:
>> This documents a way to safely use new security-related system calls
>> while preserving compatibility with container runtimes that require
>> insecure emulation (because they filter the system call by default).
>> Admittedly, it is somewhat hackish, but it can be implemented by
>> userspace today, for existing system calls such as faccessat2,
>> without kernel or container runtime changes.
>
> I think this is completely insane. Tell the OCI folks to fix their
> completely broken specification instead.
Do you categorically reject the general advice, or specific instances as
well? Like this workaround for faccessat that follows the pattern I
outlined:
<https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html>
I value your feedback and want to make sure I capture it accurately.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
Powered by blists - more mailing lists