Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy

To: Stefan Fritsch <sf@sfritsch.de>
Cc: 675615@bugs.debian.org
Subject: Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 7 Jun 2012 22:38:20 +0100
Message-id: <[🔎] 20120607213820.GE2753@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 675615@bugs.debian.org
In-reply-to: <[🔎] 201206072257.42207.sf@sfritsch.de>
References: <[🔎] 20120602142343.5940.79513.reportbug@k.lan> <[🔎] 1338656665.3979.38.camel@deadeye> <[🔎] 201206072257.42207.sf@sfritsch.de>

On Thu, Jun 07, 2012 at 10:57:41PM +0200, Stefan Fritsch wrote:
> On Saturday 02 June 2012, Ben Hutchings wrote:
> > On Sat, 2012-06-02 at 16:23 +0200, Stefan Fritsch wrote:
> > > Package: linux-2.6
> > > Severity: wishlist
> > > 
> > > The seccomp filter code has this Linus' tree a while back and
> > > will be in 3.5. It's a very usefult security feature that would
> > > be very nice to have in wheezy.
> > > 
> > > Is it possible to backport it or do you consider it to be too
> > > intrusive?
> > 
> > I'm aware of this but haven't yet looked at how easy it would be to
> > backport.  We would at least need no_new_privs as well.
> 
> FWIW, I done a backport of (hopefully) all the relevant commits. I 
> have picked the debian/3.2.17 tag from 
> git://anonscm.debian.org/kernel/linux-2.6.git as target because I was 
> too lazy to get the current debian source from svn. Hopefully the 
> differences are not too big. The result is at 
> http://people.debian.org/~sf/seccomp-filter-backport/ .  It compiles 
> and the included seccomp-filter sample programs work.
 
That git tag actually represents 3.2.17 with bits removed for DFSG
compliance, but without any bugfix or feature patches added.  But I
doubt we have anything that conflicts with these changes, though.

> Of course, all the patches need review. And it's quite possible that I 
> have overlooked some important pieces, too.
> 
> Noteworthy conflicts:
> 
> 3.5 seems to have some seccomp audit infrastructure that is not in 
> 3.2. I have left this out and left the basic logging in, instead. The 
> latter was removed from 3.5 in 
> 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe.
> 
> fb0fadf9b213f55ca9368f3edafe51101d5d2deb defines PTRACE_EVENT_SECCOMP 
> to 7, which is used by PTRACE_EVENT_STOP in 3.2. I have used 8 
> instead.
> 
> 
> Does this look reasonable to include in wheezy even this close to the 
> freeze?
 
I'll have a proper look at it later.  Thanks for this.

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus

Reply to:

References:
- Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
  - From: Stefan Fritsch <sf@sfritsch.de>
- Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#660288: Please enable CONFIG_KALLSYMS_ALL
Next by Date: Bug#675621: system freeze after safely unmounting usb drive
Previous by thread: Bug#675615: linux-2.6: Please backport seccomp-filter to wheezy
Next by thread: Bug#622850: marked as done (linux-2.6: Please enable Hyper-V drivers)
Index(es):
- Date
- Thread