* [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
@ 2015-02-19 19:14 Mike Frysinger
2015-02-19 19:18 ` Patrick McLean
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Mike Frysinger @ 2015-02-19 19:14 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 376 bytes --]
pro: improved security in daemons (often network)
con: some packages might pull in libseccomp (~250KB)
there shouldn't be measurable runtime overhead here as the filtering is done by
a JIT in the kernel itself. if the kernel lacks support for seccomp, daemons
generally should fallback at runtime. if they don't, people should file bugs to
get them fixed.
-mike
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
2015-02-19 19:14 [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles Mike Frysinger
@ 2015-02-19 19:18 ` Patrick McLean
2015-02-19 23:03 ` Markos Chandras
2015-08-13 7:29 ` [gentoo-dev] [PATCH] profiles: linux: enable USE=seccomp by default Mike Frysinger
2 siblings, 0 replies; 4+ messages in thread
From: Patrick McLean @ 2015-02-19 19:18 UTC (permalink / raw
To: Mike Frysinger; +Cc: gentoo-dev
On Thu, 19 Feb 2015 14:14:37 -0500
Mike Frysinger <vapier@gentoo.org> wrote:
> pro: improved security in daemons (often network)
> con: some packages might pull in libseccomp (~250KB)
>
> there shouldn't be measurable runtime overhead here as the filtering
> is done by a JIT in the kernel itself. if the kernel lacks support
> for seccomp, daemons generally should fallback at runtime. if they
> don't, people should file bugs to get them fixed.
+1
One thing to keep in mind: some upstreams don't really maintain their
seccomp functionality so when, they add usage of new syscalls the
daemon it just ends up crashing. This is definitely a bug that should
be fixed though.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles
2015-02-19 19:14 [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles Mike Frysinger
2015-02-19 19:18 ` Patrick McLean
@ 2015-02-19 23:03 ` Markos Chandras
2015-08-13 7:29 ` [gentoo-dev] [PATCH] profiles: linux: enable USE=seccomp by default Mike Frysinger
2 siblings, 0 replies; 4+ messages in thread
From: Markos Chandras @ 2015-02-19 23:03 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 02/19/15 21:14, Mike Frysinger wrote:
> pro: improved security in daemons (often network) con: some
> packages might pull in libseccomp (~250KB)
>
> there shouldn't be measurable runtime overhead here as the
> filtering is done by a JIT in the kernel itself. if the kernel
> lacks support for seccomp, daemons generally should fallback at
> runtime. if they don't, people should file bugs to get them
> fixed. -mike
>
Yes please
- --
Regards,
Markos Chandras
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJU5mvTAAoJEPqDWhW0r/LClXUQALYh28hSxoeVXRncPhECQ6P6
Hojd6B4o0Gm1fRPJR5COB7OHJesn3395lMALID106cXRlDp4YXj6na/WQ8JY05wJ
hArQKxeEZOhOiXqWQPHFPNTXYk/92Xnkn+PWek0mmePn6hrRF8yv56v6KkvsFjr5
gZgWMG3ZOsuxUkf0fjPhZpwQMNvAbioQBxA2LXF3wD3qW5NNXdglLxKvd9yRBe5D
C5eqnKy90Y/f5l3x00k4UImDAOyn3nnCR4BXZD+LoCwTGLQOuLWE1/2I8O50lf2I
zbtgW3r5HSey5FP57gyGoVQynH21f2w5QcyXogmqvO0LXEoUmJ3GXzTKik1G0jXt
WXn/ta+T3ILU9ogJGrbCcaGlSryRM9Wc5j7r8AY+Q6gkzwEwOmWe2lSlqR0ppQfu
amCTKtAx31RJhnhhJFec3CN/D8mqteEvKcrPUIk1ManVhAqbzZhSgwPF/dQWsjqe
JVDYhCt0VH1c2ckAeAxtDu0Nr914/ayFFx/k5WDWkE7SfTkQBa9K3zCs74arTq6r
dczN8WJmG6wpVK65EiF5UbjuIaS+bQiOKpsODbgx/2uBMp82O+ISc+hUNZfFqu5Y
khIgLP9P0Mq/VmHHfzN+ptmd5DNAFBBsZg5F3YKiVbIOq/ThTAos4i9Aq28ocFMH
B0aRyvwyhCyJmv3kRYze
=OIhP
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-dev] [PATCH] profiles: linux: enable USE=seccomp by default
2015-02-19 19:14 [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles Mike Frysinger
2015-02-19 19:18 ` Patrick McLean
2015-02-19 23:03 ` Markos Chandras
@ 2015-08-13 7:29 ` Mike Frysinger
2 siblings, 0 replies; 4+ messages in thread
From: Mike Frysinger @ 2015-08-13 7:29 UTC (permalink / raw
To: gentoo-dev
---
profiles/default/linux/make.defaults | 3 +++
1 file changed, 3 insertions(+)
diff --git a/profiles/default/linux/make.defaults b/profiles/default/linux/make.defaults
index 7ad3bdb..be2f6a1 100644
--- a/profiles/default/linux/make.defaults
+++ b/profiles/default/linux/make.defaults
@@ -17,6 +17,9 @@ USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib"
# make sure toolchain has sane defaults <tooclhain@gentoo.org>
USE="${USE} fortran openmp"
+# Security ftw.
+USE="${USE} seccomp"
+
# 2010/10/21 - Ole Markus With <olemarkus@gentoo.org>
# These USE flags were originally inserted here because of PHP
# and were later removed by me. Reinserting the USE flags again because they are
--
2.4.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-13 7:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-19 19:14 [gentoo-dev] [rfc] enable USE=seccomp in default/linux/ profiles Mike Frysinger
2015-02-19 19:18 ` Patrick McLean
2015-02-19 23:03 ` Markos Chandras
2015-08-13 7:29 ` [gentoo-dev] [PATCH] profiles: linux: enable USE=seccomp by default Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox