Re: [patch] let CONFIG_SECCOMP default to n
From: Albert Cahalan
Date: Thu Jul 13 2006 - 01:42:16 EST
Linus Torvalds writes:
I don't think SECCOMP is wrong per se, but I do believe that
if other approaches become more popular, and the only user of
SECCOMP is not GPL'd and uses some patented stuff, then we should
seriously look at the other interfaces (eg the extended ptrace).
Does anybody actually really _use_ SECCOMP outside of the
patented stuff?
I write debugger code. I can not possibly express how broken
the ptrace interface is. There are numerous corner conditions
that it gets terribly wrong. If you single step over any
"interesting" instructions, if the target plays funny games
with signals or the trap flag...
The utrace stuff offers some hope for eventually fixing this
mess. Please accept that or something similar.
As for SECCOMP... non-root users need high-performance ways
to sandbox things. I do not believe that one solution fits all.
Perhaps SE Linux could be extended to let users sub-divide
their accounts, and certainly ptrace could be made better.
SECCOMP is a good idea, but currently a tad too limiting.
There are a few dozen system calls that would be safe and useful,
particularly those related to signals, memory, and synchronization.
I see no reason to have a config option outside of
CONFIG_EMBEDDED. Ditch the TSC stuff though.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/