[Oneiric][pull request] SECCOMP syscall filtering
Andy Whitcroft
apw at canonical.com
Fri Aug 12 22:00:20 UTC 2011
On Fri, Aug 12, 2011 at 04:09:31PM -0500, Will Drewry wrote:
> On Thu, Aug 11, 2011 at 2:08 PM, Kees Cook <kees.cook at canonical.com> wrote:
> > Upstream gave Will a multi-month run-around, so while this functionality
> > may go upstream eventually, it probably won't be soon. I'm hoping to
> > break a chicken-and-egg problem by having this interface available in
> > Ubuntu (matching ChromeOS) so that all the folks that wanted to use it
> > will have a stable Ubuntu release soon to play with it in.
> >
> > Since the feature doesn't change default process behavior, and is really
> > just a container "enhancement", I feel like the risk of carrying it is
> > low and the disruption level of suddenly tearing it out is low, it's only
> > a win to have it.
[...]
> If there is interest in carrying it, I will certainly ensure that any
> Chromium patches provide support detection such that ubuntu users also
> get a better kernel-supported sandbox for their renderers than is
> possible today.
If we are going to get get better security in chromium on Ubuntu that is
probabally something that is worth the pain of carrying these patches.
There was no performance hit for the regular case.
-apw
More information about the kernel-team
mailing list