Should we dump seccomp?
Hal Murray
hmurray at megapathdsl.net
Sun May 14 02:42:33 UTC 2017
esr at thyrsus.com said:
>> Should we work on a no-DNS version? It's no good for the
>> typical client/pool case, but it might be interesting for a server.
> I'm against this idea. I think it would add test complexity without a
> commensrate gain.
If the idea is to reduce the attack surface, I'd expect interest in making it
significantly smaller.
Again, this is down in the weeds.
The DNS stuff adds a lot of syscalls such as pthreads. Looks like the code
is already there.
#ifdef ENABLE_DNS_LOOKUP
SCMP_SYS(clone), /* threads */
SCMP_SYS(futex), /* sem_xxx, used by threads */
SCMP_SYS(kill), /* generate signal */
SCMP_SYS(madvise),
SCMP_SYS(mprotect),
SCMP_SYS(set_robust_list),
SCMP_SYS(sendmmsg), /* DNS lookup */
SCMP_SYS(socketpair),
SCMP_SYS(statfs),
SCMP_SYS(uname),
#endif
I guess I'll setup a test case.
--
These are my opinions. I hate spam.
More information about the devel
mailing list