Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles

2015-02-19 Thread Patrick McLean 
On Thu, 19 Feb 2015 14:14:37 -0500
Mike Frysinger vap...@gentoo.org wrote:

 pro: improved security in daemons (often network)
 con: some packages might pull in libseccomp (~250KB)
 
 there shouldn't be measurable runtime overhead here as the filtering
 is done by a JIT in the kernel itself.  if the kernel lacks support
 for seccomp, daemons generally should fallback at runtime.  if they
 don't, people should file bugs to get them fixed.

+1

One thing to keep in mind: some upstreams don't really maintain their
seccomp functionality so when, they add usage of new syscalls the
daemon it just ends up crashing. This is definitely a bug that should
be fixed though.

[gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles

2015-02-19 Thread Mike Frysinger 
pro: improved security in daemons (often network)
con: some packages might pull in libseccomp (~250KB)

there shouldn't be measurable runtime overhead here as the filtering is done by 
a JIT in the kernel itself.  if the kernel lacks support for seccomp, daemons 
generally should fallback at runtime.  if they don't, people should file bugs 
to 
get them fixed.
-mike


signature.asc
Description: Digital signature

Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles

2015-02-19 Thread Markos Chandras 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 02/19/15 21:14, Mike Frysinger wrote:
 pro: improved security in daemons (often network) con: some
 packages might pull in libseccomp (~250KB)
 
 there shouldn't be measurable runtime overhead here as the
 filtering is done by a JIT in the kernel itself.  if the kernel
 lacks support for seccomp, daemons generally should fallback at
 runtime.  if they don't, people should file bugs to get them
 fixed. -mike
 
Yes please

- -- 
Regards,
Markos Chandras
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJU5mvTAAoJEPqDWhW0r/LClXUQALYh28hSxoeVXRncPhECQ6P6
Hojd6B4o0Gm1fRPJR5COB7OHJesn3395lMALID106cXRlDp4YXj6na/WQ8JY05wJ
hArQKxeEZOhOiXqWQPHFPNTXYk/92Xnkn+PWek0mmePn6hrRF8yv56v6KkvsFjr5
gZgWMG3ZOsuxUkf0fjPhZpwQMNvAbioQBxA2LXF3wD3qW5NNXdglLxKvd9yRBe5D
C5eqnKy90Y/f5l3x00k4UImDAOyn3nnCR4BXZD+LoCwTGLQOuLWE1/2I8O50lf2I
zbtgW3r5HSey5FP57gyGoVQynH21f2w5QcyXogmqvO0LXEoUmJ3GXzTKik1G0jXt
WXn/ta+T3ILU9ogJGrbCcaGlSryRM9Wc5j7r8AY+Q6gkzwEwOmWe2lSlqR0ppQfu
amCTKtAx31RJhnhhJFec3CN/D8mqteEvKcrPUIk1ManVhAqbzZhSgwPF/dQWsjqe
JVDYhCt0VH1c2ckAeAxtDu0Nr914/ayFFx/k5WDWkE7SfTkQBa9K3zCs74arTq6r
dczN8WJmG6wpVK65EiF5UbjuIaS+bQiOKpsODbgx/2uBMp82O+ISc+hUNZfFqu5Y
khIgLP9P0Mq/VmHHfzN+ptmd5DNAFBBsZg5F3YKiVbIOq/ThTAos4i9Aq28ocFMH
B0aRyvwyhCyJmv3kRYze
=OIhP
-END PGP SIGNATURE-