[gentoo-dev] [RFC] Make "seccomp" USE flag global

[gentoo-dev] [RFC] Make "seccomp" USE flag global

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

Hello,

at this moment 8 packages uses "seccomp" flag:

app-admin/clsync
app-emulation/qemu
app-emulation/lxc
net-dns/bind
net-misc/tlsdate
net-misc/tor
net-misc/lldpd
sys-apps/systemd

for the very same reason: enable seccomp filtering to improve
security. Some of them use seccomp directly via system calls, while
other rely on sys-libs/libseccomp, but this should have no
difference for users.

I propose to add global "seccomp" USE flag as follows:

seccomp - Enable seccomp for system call filtering

and remove local descriptions for affected packages.

Comments?

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] [RFC] Make "seccomp" USE flag global

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 961 bytes --]

On Sat, 21 Feb 2015 02:44:54 +0300 Andrew Savchenko wrote:
> Hello,
> 
> at this moment 8 packages uses "seccomp" flag:
> 
> app-admin/clsync
> app-emulation/qemu
> app-emulation/lxc
> net-dns/bind
> net-misc/tlsdate
> net-misc/tor
> net-misc/lldpd
> sys-apps/systemd
> 
> for the very same reason: enable seccomp filtering to improve
> security. Some of them use seccomp directly via system calls, while
> other rely on sys-libs/libseccomp, but this should have no
> difference for users.
> 
> I propose to add global "seccomp" USE flag as follows:
> 
> seccomp - Enable seccomp for system call filtering
> 
> and remove local descriptions for affected packages.
> 
> Comments?

Ping.

If there are no objections, I'll commit the following changes in a
week:
1) Add global seccomp flag with description above.
2) Remove local seccomp descriptions from metadata of the packages
listed above.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] [RFC] Make "seccomp" USE flag global

[Matt Turner]

On Fri, Feb 27, 2015 at 5:46 PM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> On Sat, 21 Feb 2015 02:44:54 +0300 Andrew Savchenko wrote:
>> Hello,
>>
>> at this moment 8 packages uses "seccomp" flag:
>>
>> app-admin/clsync
>> app-emulation/qemu
>> app-emulation/lxc
>> net-dns/bind
>> net-misc/tlsdate
>> net-misc/tor
>> net-misc/lldpd
>> sys-apps/systemd
>>
>> for the very same reason: enable seccomp filtering to improve
>> security. Some of them use seccomp directly via system calls, while
>> other rely on sys-libs/libseccomp, but this should have no
>> difference for users.
>>
>> I propose to add global "seccomp" USE flag as follows:
>>
>> seccomp - Enable seccomp for system call filtering
>>
>> and remove local descriptions for affected packages.
>>
>> Comments?
>
> Ping.
>
> If there are no objections, I'll commit the following changes in a
> week:

Seems pretty uncontroversial. FWIW I think you've waited a sufficient
amount of time.

> 1) Add global seccomp flag with description above.
> 2) Remove local seccomp descriptions from metadata of the packages
> listed above.
>
> Best regards,
> Andrew Savchenko

Re: [gentoo-dev] [RFC] Make "seccomp" USE flag global

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 534 bytes --]

On Fri, 27 Feb 2015 17:48:22 -0800 Matt Turner wrote:
[...]
> >> I propose to add global "seccomp" USE flag as follows:
> >>
> >> seccomp - Enable seccomp for system call filtering
> >>
> >> and remove local descriptions for affected packages.
> >>
> >> Comments?
> >
> > Ping.
> >
> > If there are no objections, I'll commit the following changes in a
> > week:
> 
> Seems pretty uncontroversial. FWIW I think you've waited a sufficient
> amount of time.

Ok, and so it is done.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]