From mboxrd@z Thu Jan 1 00:00:00 1970 From: "H. Peter Anvin" Subject: Re: [PATCH 2/3] [RFC] seccomp: give BPF x32 bit when restoring x32 filter Date: Fri, 11 Jul 2014 09:30:36 -0700 Message-ID: <53C0112C.1000707@zytor.com> References: <1458762.ra4TnS54ZN@sifl> <1405095407.2357.1.camel@flatline.rdu.redhat.com> <14055169.hesOIjNJgN@sifl> <1405095813.2357.3.camel@flatline.rdu.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1405095813.2357.3.camel@flatline.rdu.redhat.com> Sender: linux-kernel-owner@vger.kernel.org To: Eric Paris , Paul Moore Cc: Richard Guy Briggs , linux-audit@redhat.com, linux-kernel@vger.kernel.org, Al Viro , Will Drewry List-Id: linux-audit@redhat.com On 07/11/2014 09:23 AM, Eric Paris wrote: >> >> You're not going to hear me ever say that I like how the x32 ABI was done, it >> is a real mess from a seccomp filter point of view and we have to do some >> nasty stuff in libseccomp to make it all work correctly (see my comments on >> the libseccomp-devel list regarding my severe displeasure over x32), but >> what's done is done. >> >> I think it's too late to change the x32 seccomp filter ABI. > > So we have a security interface that is damn near impossible to get > right. Perfect. > > I think this explains exactly why I support this idea. Make X32 look > like everyone else and put these custom horrific hacks in seccomp if we > are unwilling to 'do it right' > > Honestly, how many people are using seccomp on X32 and would be horribly > pissed if we just fixed it? > The bigger issue is probably if we will open a problem with the older kernels. -hpa