From: Ingo Molnar <mingo@elte.hu>
To: Andrew Morton <akpm@osdl.org>
Cc: Adrian Bunk <bunk@stusta.de>,
andrea@cpushare.com, linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@osdl.org>
Subject: Re: [-mm patch] seccomp: don't say it was more or less mandatory
Date: Tue, 15 Mar 2005 12:27:12 +0100 [thread overview]
Message-ID: <20050315112712.GA3497@elte.hu> (raw)
In-Reply-To: <20050315100903.GA32198@elte.hu>
* Ingo Molnar <mingo@elte.hu> wrote:
> see my earlier counter-arguments in the thread starting at:
>
> http://marc.theaimsgroup.com/?l=linux-kernel&m=110630922022462&w=2
>
> end result of the thread: seccomp is completely unnecessary code-bloat
> and can be equivalently implemented via ptrace. I cannot believe this
> made it into -BK ...
let me moderate my initial reaction somewhat:
the point i see in seccomp is that while it cannot be trusted right now
(not because of any known factor but simply because it doesnt have
enough review, yet), it might at a certain point (in many years) become
more trustable than TRACE_SYSCALLS.
It doesnt use a 'server' process to control syscall execution,
everything is enforced by the kernel. It is also intentionally simple,
and hence maybe even provably secure from a Comp-Sci POV. (assuming
sys_read()/sys_write() and hardware-irq processing itself is secure,
which quite likely wont be provable in the foreseeable future).
Also, while the technological arguments i raised in support of ptrace
are true, ptrace has a perception issue: it is perceived as insecure -
even if PTRACE_TRACE itself is not affected. And when building trust in
a processing platform, perception is just as important as raw security.
this combination of arguments i think tips the balance in favor of
seccomp, but still, i hate the fact that the anti-ptrace sentiment was
used as a vehicle to get this feature into the kernel.
technical comment: seccomp goes outside the audit/selinux framework,
which i believe is a bug. Andrea?
Ingo
next prev parent reply other threads:[~2005-03-15 11:28 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-23 9:42 2.6.11-rc4-mm1 Andrew Morton
2005-02-23 11:03 ` 2.6.11-rc4-mm1 Mathieu Segaud
2005-02-23 16:32 ` 2.6.11-rc4-mm1 Robert Love
2005-02-23 13:06 ` 2.6.11-rc4-mm1 : IDE crazy numbers, hdb renumbered to hdq ? Helge Hafting
2005-02-23 20:12 ` Andrew Morton
2005-02-23 22:36 ` Laurent Riffard
2005-02-23 23:11 ` Matt Mackall
2005-02-23 23:20 ` Andrew Morton
2005-02-24 17:02 ` Laurent Riffard
2005-02-23 23:47 ` Greg KH
2005-02-24 17:06 ` Laurent Riffard
2005-02-24 17:18 ` Greg KH
2005-02-24 20:42 ` Laurent Riffard
2005-02-24 23:17 ` Greg KH
2005-02-23 23:32 ` Mathieu Segaud
2005-02-24 0:17 ` Matt Mackall
2005-02-23 16:37 ` 2.6.11-rc4-mm1 (VFS: Cannot open root device "301") Steven Cole
2005-02-23 20:17 ` Andrew Morton
2005-02-23 22:10 ` Steven Cole
2005-02-23 22:54 ` Steven Cole
2005-02-24 0:16 ` Andrew Morton
2005-02-24 0:25 ` Andrew Morton
2005-02-24 13:19 ` Bartlomiej Zolnierkiewicz
2005-02-25 0:20 ` Felipe Alfaro Solana
2005-02-24 0:41 ` Matt Mackall
2005-02-24 2:03 ` Benoit Boissinot
2005-02-24 2:08 ` Matt Mackall
2005-02-23 23:03 ` Andrew Morton
2005-02-23 23:03 ` Matt Mackall
2005-02-24 0:44 ` Matt Mackall
2005-02-24 15:59 ` Steven Cole
2005-02-24 16:18 ` Steven Cole
2005-02-23 22:45 ` Matt Mackall
2005-02-23 17:07 ` 2.6.11-rc4-mm1 Vincent Vanackere
2005-02-23 18:20 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:24 ` 2.6.11-rc4-mm1 Dominik Brodowski
2005-02-23 22:00 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 23:56 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:05 ` 2.6.11-rc4-mm1 Benoit Boissinot
2005-02-23 21:42 ` [PATCH] process-wide itimer typo fixes Roland McGrath
2005-02-23 21:30 ` 2.6.11-rc4-mm1 Adrian Bunk
2005-02-23 21:49 ` 2.6.11-rc4-mm1 (compile stats) John Cherry
2005-02-23 22:22 ` 2.6.11-rc4-mm1 Francois Romieu
2005-02-23 22:38 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-23 23:12 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:40 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-24 0:20 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-24 0:26 ` 2.6.11-rc4-mm1 Fabian Fenaut
2005-02-25 0:06 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-25 3:18 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-23 23:07 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:25 ` 2.6.11-rc4-mm1 Andrew Morton
2005-02-24 11:11 ` 2.6.11-rc4-mm1: infiniband/core/user_mad.c warning Adrian Bunk
2005-02-24 11:11 ` [-mm patch] drivers/md/dm-hw-handler.c: fix compile warnings Adrian Bunk
2005-02-24 21:51 ` [-mm patch] seccomp: don't say it was more or less mandatory Adrian Bunk
2005-02-24 22:41 ` Andrea Arcangeli
2005-02-25 21:14 ` Adrian Bunk
2005-02-26 1:31 ` Andrea Arcangeli
2005-03-01 0:32 ` Adrian Bunk
2005-03-01 0:44 ` Andrea Arcangeli
2005-03-03 14:51 ` Adrian Bunk
2005-03-03 16:24 ` Andrea Arcangeli
2005-03-03 21:55 ` Andrew Morton
2005-03-15 10:09 ` Ingo Molnar
2005-03-15 10:15 ` Ingo Molnar
2005-03-15 11:27 ` Ingo Molnar [this message]
2005-03-15 13:00 ` Andrea Arcangeli
2005-03-15 14:44 ` Ingo Molnar
2005-03-15 14:59 ` Andrea Arcangeli
2005-03-15 15:00 ` Ingo Molnar
2005-03-15 15:05 ` Ingo Molnar
2005-03-15 16:44 ` Andrea Arcangeli
2005-03-16 8:28 ` Ingo Molnar
2005-03-16 10:46 ` Andrea Arcangeli
2005-03-16 13:41 ` Ingo Molnar
2005-03-16 17:28 ` Andrea Arcangeli
2005-03-17 10:27 ` Ingo Molnar
2005-03-17 10:49 ` Andrea Arcangeli
2005-02-26 11:31 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-03-02 6:43 ` Jeff Garzik
2005-03-02 14:08 ` Adrian Bunk
2005-03-02 19:12 ` Jeff Garzik
2005-03-02 20:38 ` Andrew Morton
2005-03-02 21:07 ` Jeff Garzik
2005-03-02 21:18 ` Andrew Morton
2005-03-02 21:56 ` Adrian Bunk
2005-03-02 22:14 ` Andrew Morton
2005-03-02 22:41 ` Jeff Garzik
2005-03-02 22:45 ` Adrian Bunk
2005-03-02 22:49 ` Jeff Garzik
2005-03-03 15:07 ` How to handle the multiple aes variants on i386? Adrian Bunk
2005-03-02 21:59 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-02-27 15:48 ` [2.6.11-rc4-mm1 patch] drivers/scsi/arcmsr/arcmsr.c cleanups Adrian Bunk
2005-02-27 22:23 ` Christoph Hellwig
2005-02-28 18:07 ` [-mm patch] drivers/scsi/ch.c: make a struct static Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050315112712.GA3497@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@osdl.org \
--cc=andrea@cpushare.com \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox