Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
On Saturday 02 June 2012, Ben Hutchings wrote:
> On Sat, 2012-06-02 at 16:23 +0200, Stefan Fritsch wrote:
> > Package: linux-2.6
> > Severity: wishlist
> >
> > The seccomp filter code has this Linus' tree a while back and
> > will be in 3.5. It's a very usefult security feature that would
> > be very nice to have in wheezy.
> >
> > Is it possible to backport it or do you consider it to be too
> > intrusive?
>
> I'm aware of this but haven't yet looked at how easy it would be to
> backport. We would at least need no_new_privs as well.
FWIW, I done a backport of (hopefully) all the relevant commits. I
have picked the debian/3.2.17 tag from
git://anonscm.debian.org/kernel/linux-2.6.git as target because I was
too lazy to get the current debian source from svn. Hopefully the
differences are not too big. The result is at
http://people.debian.org/~sf/seccomp-filter-backport/ . It compiles
and the included seccomp-filter sample programs work.
Of course, all the patches need review. And it's quite possible that I
have overlooked some important pieces, too.
Noteworthy conflicts:
3.5 seems to have some seccomp audit infrastructure that is not in
3.2. I have left this out and left the basic logging in, instead. The
latter was removed from 3.5 in
3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe.
fb0fadf9b213f55ca9368f3edafe51101d5d2deb defines PTRACE_EVENT_SECCOMP
to 7, which is used by PTRACE_EVENT_STOP in 3.2. I have used 8
instead.
Does this look reasonable to include in wheezy even this close to the
freeze?
Cheers,
Stefan
Reply to: