| 1 |
On Thu, 19 Feb 2015 14:14:37 -0500 |
| 2 |
Mike Frysinger <vapier@g.o> wrote: |
| 3 |
|
| 4 |
> pro: improved security in daemons (often network) |
| 5 |
> con: some packages might pull in libseccomp (~250KB) |
| 6 |
> |
| 7 |
> there shouldn't be measurable runtime overhead here as the filtering |
| 8 |
> is done by a JIT in the kernel itself. if the kernel lacks support |
| 9 |
> for seccomp, daemons generally should fallback at runtime. if they |
| 10 |
> don't, people should file bugs to get them fixed. |
| 11 |
|
| 12 |
+1 |
| 13 |
|
| 14 |
One thing to keep in mind: some upstreams don't really maintain their |
| 15 |
seccomp functionality so when, they add usage of new syscalls the |
| 16 |
daemon it just ends up crashing. This is definitely a bug that should |
| 17 |
be fixed though. |
Archives