1 |
On Thu, 19 Feb 2015 14:14:37 -0500 |
2 |
Mike Frysinger <vapier@g.o> wrote: |
3 |
|
4 |
> pro: improved security in daemons (often network) |
5 |
> con: some packages might pull in libseccomp (~250KB) |
6 |
> |
7 |
> there shouldn't be measurable runtime overhead here as the filtering |
8 |
> is done by a JIT in the kernel itself. if the kernel lacks support |
9 |
> for seccomp, daemons generally should fallback at runtime. if they |
10 |
> don't, people should file bugs to get them fixed. |
11 |
|
12 |
+1 |
13 |
|
14 |
One thing to keep in mind: some upstreams don't really maintain their |
15 |
seccomp functionality so when, they add usage of new syscalls the |
16 |
daemon it just ends up crashing. This is definitely a bug that should |
17 |
be fixed though. |