Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
On Thu, 19 Feb 2015 14:14:37 -0500 Mike Frysinger vap...@gentoo.org wrote: pro: improved security in daemons (often network) con: some packages might pull in libseccomp (~250KB) there shouldn't be measurable runtime overhead here as the filtering is done by a JIT in the kernel itself. if the kernel lacks support for seccomp, daemons generally should fallback at runtime. if they don't, people should file bugs to get them fixed. +1 One thing to keep in mind: some upstreams don't really maintain their seccomp functionality so when, they add usage of new syscalls the daemon it just ends up crashing. This is definitely a bug that should be fixed though.
[gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
pro: improved security in daemons (often network) con: some packages might pull in libseccomp (~250KB) there shouldn't be measurable runtime overhead here as the filtering is done by a JIT in the kernel itself. if the kernel lacks support for seccomp, daemons generally should fallback at runtime. if they don't, people should file bugs to get them fixed. -mike signature.asc Description: Digital signature
Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/19/15 21:14, Mike Frysinger wrote: pro: improved security in daemons (often network) con: some packages might pull in libseccomp (~250KB) there shouldn't be measurable runtime overhead here as the filtering is done by a JIT in the kernel itself. if the kernel lacks support for seccomp, daemons generally should fallback at runtime. if they don't, people should file bugs to get them fixed. -mike Yes please - -- Regards, Markos Chandras -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJU5mvTAAoJEPqDWhW0r/LClXUQALYh28hSxoeVXRncPhECQ6P6 Hojd6B4o0Gm1fRPJR5COB7OHJesn3395lMALID106cXRlDp4YXj6na/WQ8JY05wJ hArQKxeEZOhOiXqWQPHFPNTXYk/92Xnkn+PWek0mmePn6hrRF8yv56v6KkvsFjr5 gZgWMG3ZOsuxUkf0fjPhZpwQMNvAbioQBxA2LXF3wD3qW5NNXdglLxKvd9yRBe5D C5eqnKy90Y/f5l3x00k4UImDAOyn3nnCR4BXZD+LoCwTGLQOuLWE1/2I8O50lf2I zbtgW3r5HSey5FP57gyGoVQynH21f2w5QcyXogmqvO0LXEoUmJ3GXzTKik1G0jXt WXn/ta+T3ILU9ogJGrbCcaGlSryRM9Wc5j7r8AY+Q6gkzwEwOmWe2lSlqR0ppQfu amCTKtAx31RJhnhhJFec3CN/D8mqteEvKcrPUIk1ManVhAqbzZhSgwPF/dQWsjqe JVDYhCt0VH1c2ckAeAxtDu0Nr914/ayFFx/k5WDWkE7SfTkQBa9K3zCs74arTq6r dczN8WJmG6wpVK65EiF5UbjuIaS+bQiOKpsODbgx/2uBMp82O+ISc+hUNZfFqu5Y khIgLP9P0Mq/VmHHfzN+ptmd5DNAFBBsZg5F3YKiVbIOq/ThTAos4i9Aq28ocFMH B0aRyvwyhCyJmv3kRYze =OIhP -END PGP SIGNATURE-