droproot, seccomp
Eric S. Raymond
esr at thyrsus.com
Tue Feb 25 23:59:48 UTC 2020
Hal Murray <hmurray at megapathdsl.net>:
> I don't think it's worth the effort to maintain 2 lists. We can revisit that
> if you think it's appropriate.
No, I agree with you.
> There are 46 syscalls in each list and 55 in the merged list.
Brings up a question. Is the list of all syscalls used by everybody
large relative to any one distro+platform-specific list?
Because if not, I could geet behand having *one* list and just
whitelisting syscalls until we stop needing to.
46 to 55. If just 9 syscalls are the difference, the very slightly
reduced assurance starts to look like a reasonable trade to make the
whole problem go away.
Which, mind you, I wouldn't say if I didn't think we had done a
quite effective job of hardening the rest of the code. But I *do*
think that - which makes this worth consideration.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel
mailing list