Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On Sat, 2015-02-14 at 15:31 -0800, David Lang wrote: I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. It needs the kernel support to use the seccomp filter, but why is this so critical that it must be enabled by default? Being critical isn't the only reason for enabling kernel options on openwrt. IPv6 isn't critical, many can live without it, but still it is there. The question is whether the added value of seccomp justifies the few kilobytes spent. My opinion on that, is that exploits on a router are more grave than on a PC, because a router is harder to upgrade, and an issue is harder to notice. For that a mechanism like seccomp which can contain potential damage, is very useful on openwrt. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] enabling seccomp by default in kernel
Hello, I've added libseccomp into packages. That library allows programs to easily restrict the system calls they are allowed to use. In turn that uses the kernel's seccomp filter. That's one of the most reliable ways to restrict/sandbox processes into specific tasks which cannot be overriden even in the event of code injection. I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On Sat, 2015-02-14 at 14:54 +0100, Etienne Champetier wrote: Hi Nikos, Can you send size with/without seccomp option I compiled openwrt on lantiq (3.18.7) and the size with seccomp filter is: 1481440 Feb 14 19:12 openwrt-lantiq-xway-WBMR-uImage 3695419 Feb 14 19:12 openwrt-lantiq-xway-WBMR-uImage-initramfs while the uImage without is: 1479763 Feb 14 19:18 openwrt-lantiq-xway-WBMR-uImage 3693891 Feb 14 19:18 openwrt-lantiq-xway-WBMR-uImage-initramfs regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote: Hello, I've added libseccomp into packages. That library allows programs to easily restrict the system calls they are allowed to use. In turn that uses the kernel's seccomp filter. That's one of the most reliable ways to restrict/sandbox processes into specific tasks which cannot be overriden even in the event of code injection. I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. It needs the kernel support to use the seccomp filter, but why is this so critical that it must be enabled by default? David Lang ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On 15/02/2015 00:31, David Lang wrote: On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote: Hello, I've added libseccomp into packages. That library allows programs to easily restrict the system calls they are allowed to use. In turn that uses the kernel's seccomp filter. That's one of the most reliable ways to restrict/sandbox processes into specific tasks which cannot be overriden even in the event of code injection. I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. It needs the kernel support to use the seccomp filter, but why is this so critical that it must be enabled by default? David Lang the snapshots will now have libseccomp but the kernels built wont have the feature enabled. this means the lib is useless without building your own kernel. i guess nikos is trying to solve this problem. John ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel