From: Ingo Molnar <mingo@elte.hu>
To: Andrew Morton <akpm@osdl.org>
Cc: Adrian Bunk <bunk@stusta.de>,
andrea@cpushare.com, linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@osdl.org>
Subject: Re: [-mm patch] seccomp: don't say it was more or less mandatory
Date: Tue, 15 Mar 2005 12:27:12 +0100 [thread overview]
Message-ID: <20050315112712.GA3497@elte.hu> (raw)
In-Reply-To: <20050315100903.GA32198@elte.hu>
* Ingo Molnar <mingo@elte.hu> wrote:
> see my earlier counter-arguments in the thread starting at:
>
> http://marc.theaimsgroup.com/?l=linux-kernel&m=110630922022462&w=2
>
> end result of the thread: seccomp is completely unnecessary code-bloat
> and can be equivalently implemented via ptrace. I cannot believe this
> made it into -BK ...
let me moderate my initial reaction somewhat:
the point i see in seccomp is that while it cannot be trusted right now
(not because of any known factor but simply because it doesnt have
enough review, yet), it might at a certain point (in many years) become
more trustable than TRACE_SYSCALLS.
It doesnt use a 'server' process to control syscall execution,
everything is enforced by the kernel. It is also intentionally simple,
and hence maybe even provably secure from a Comp-Sci POV. (assuming
sys_read()/sys_write() and hardware-irq processing itself is secure,
which quite likely wont be provable in the foreseeable future).
Also, while the technological arguments i raised in support of ptrace
are true, ptrace has a perception issue: it is perceived as insecure -
even if PTRACE_TRACE itself is not affected. And when building trust in
a processing platform, perception is just as important as raw security.
this combination of arguments i think tips the balance in favor of
seccomp, but still, i hate the fact that the anti-ptrace sentiment was
used as a vehicle to get this feature into the kernel.
technical comment: seccomp goes outside the audit/selinux framework,
which i believe is a bug. Andrea?
Ingo
next prev parent reply other threads:[~2005-03-15 11:28 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-23 9:42 2.6.11-rc4-mm1 Andrew Morton
2005-02-23 11:03 ` 2.6.11-rc4-mm1 Mathieu Segaud
2005-02-23 16:32 ` 2.6.11-rc4-mm1 Robert Love
2005-02-23 13:06 ` 2.6.11-rc4-mm1 : IDE crazy numbers, hdb renumbered to hdq ? Helge Hafting
2005-02-23 20:12 ` Andrew Morton
2005-02-23 22:36 ` Laurent Riffard
2005-02-23 23:11 ` Matt Mackall
2005-02-23 23:20 ` Andrew Morton
2005-02-24 17:02 ` Laurent Riffard
2005-02-23 23:47 ` Greg KH
2005-02-24 17:06 ` Laurent Riffard
2005-02-24 17:18 ` Greg KH
2005-02-24 20:42 ` Laurent Riffard
2005-02-24 23:17 ` Greg KH
2005-02-23 23:32 ` Mathieu Segaud
2005-02-24 0:17 ` Matt Mackall
2005-02-23 16:37 ` 2.6.11-rc4-mm1 (VFS: Cannot open root device "301") Steven Cole
2005-02-23 20:17 ` Andrew Morton
2005-02-23 22:10 ` Steven Cole
2005-02-23 22:54 ` Steven Cole
2005-02-24 0:16 ` Andrew Morton
2005-02-24 0:25 ` Andrew Morton
2005-02-24 13:19 ` Bartlomiej Zolnierkiewicz
2005-02-25 0:20 ` Felipe Alfaro Solana
2005-02-24 0:41 ` Matt Mackall
2005-02-24 2:03 ` Benoit Boissinot
2005-02-24 2:08 ` Matt Mackall
2005-02-23 23:03 ` Andrew Morton
2005-02-23 23:03 ` Matt Mackall
2005-02-24 0:44 ` Matt Mackall
2005-02-24 15:59 ` Steven Cole
2005-02-24 16:18 ` Steven Cole
2005-02-23 22:45 ` Matt Mackall
2005-02-23 17:07 ` 2.6.11-rc4-mm1 Vincent Vanackere
2005-02-23 18:20 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:24 ` 2.6.11-rc4-mm1 Dominik Brodowski
2005-02-23 22:00 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 23:56 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:05 ` 2.6.11-rc4-mm1 Benoit Boissinot
2005-02-23 21:42 ` [PATCH] process-wide itimer typo fixes Roland McGrath
2005-02-23 21:30 ` 2.6.11-rc4-mm1 Adrian Bunk
2005-02-23 21:49 ` 2.6.11-rc4-mm1 (compile stats) John Cherry
2005-02-23 22:22 ` 2.6.11-rc4-mm1 Francois Romieu
2005-02-23 22:38 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-23 23:12 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:40 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-24 0:20 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-24 0:26 ` 2.6.11-rc4-mm1 Fabian Fenaut
2005-02-25 0:06 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-25 3:18 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-23 23:07 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:25 ` 2.6.11-rc4-mm1 Andrew Morton
2005-02-24 11:11 ` 2.6.11-rc4-mm1: infiniband/core/user_mad.c warning Adrian Bunk
2005-02-24 11:11 ` [-mm patch] drivers/md/dm-hw-handler.c: fix compile warnings Adrian Bunk
2005-02-24 21:51 ` [-mm patch] seccomp: don't say it was more or less mandatory Adrian Bunk
2005-02-24 22:41 ` Andrea Arcangeli
2005-02-25 21:14 ` Adrian Bunk
2005-02-26 1:31 ` Andrea Arcangeli
2005-03-01 0:32 ` Adrian Bunk
2005-03-01 0:44 ` Andrea Arcangeli
2005-03-03 14:51 ` Adrian Bunk
2005-03-03 16:24 ` Andrea Arcangeli
2005-03-03 21:55 ` Andrew Morton
2005-03-15 10:09 ` Ingo Molnar
2005-03-15 10:15 ` Ingo Molnar
2005-03-15 11:27 ` Ingo Molnar [this message]
2005-03-15 13:00 ` Andrea Arcangeli
2005-03-15 14:44 ` Ingo Molnar
2005-03-15 14:59 ` Andrea Arcangeli
2005-03-15 15:00 ` Ingo Molnar
2005-03-15 15:05 ` Ingo Molnar
2005-03-15 16:44 ` Andrea Arcangeli
2005-03-16 8:28 ` Ingo Molnar
2005-03-16 10:46 ` Andrea Arcangeli
2005-03-16 13:41 ` Ingo Molnar
2005-03-16 17:28 ` Andrea Arcangeli
2005-03-17 10:27 ` Ingo Molnar
2005-03-17 10:49 ` Andrea Arcangeli
2005-02-26 11:31 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-03-02 6:43 ` Jeff Garzik
2005-03-02 14:08 ` Adrian Bunk
2005-03-02 19:12 ` Jeff Garzik
2005-03-02 20:38 ` Andrew Morton
2005-03-02 21:07 ` Jeff Garzik
2005-03-02 21:18 ` Andrew Morton
2005-03-02 21:56 ` Adrian Bunk
2005-03-02 22:14 ` Andrew Morton
2005-03-02 22:41 ` Jeff Garzik
2005-03-02 22:45 ` Adrian Bunk
2005-03-02 22:49 ` Jeff Garzik
2005-03-03 15:07 ` How to handle the multiple aes variants on i386? Adrian Bunk
2005-03-02 21:59 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-02-27 15:48 ` [2.6.11-rc4-mm1 patch] drivers/scsi/arcmsr/arcmsr.c cleanups Adrian Bunk
2005-02-27 22:23 ` Christoph Hellwig
2005-02-28 18:07 ` [-mm patch] drivers/scsi/ch.c: make a struct static Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050315112712.GA3497@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@osdl.org \
--cc=andrea@cpushare.com \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.