On Mon, 4 May 2015, Theo de Raadt wrote: > >Personally, I think seccomp-bpf could be a superior alternative to > >systrace and I'd love to see an implementation. Other developers (inc. > >Theo) are skeptical though, but this is probably a case where the > >argument won't be settled without a concrete implementation to look at. > > I am very skeptical about a bpf-style model, because: > > People are currently writing policies specific to what glibc does; > or what they believe it is doing.
I don't think we could expect to use syscall policies written for Linux as anything more than rough guidance (or perhaps cautionary example) > Those policies will be wide open, or too strict. If we adopt this > into our world, the next step after that is going to be wide use of > #ifdef within bpf rulesets. I don't think that's necessarily true, OpenSSH only uses ifdef in the systrace rulesets for new/deprecated syscalls and the bpf rulesets would be identical. Most other privsep daemons would be in a similar boat I expect. -d
