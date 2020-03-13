erek
Supreme [H]ardness
- Joined
- Dec 19, 2005
- Messages
- 4,544
Everything's flawed anymore
"Kleen went on to add with the patch, "Longer term we probably need to discuss if the seccomp heuristic is still warranted and should be perhaps changed. It seemed like a good idea when these vulnerabilities were new, and no web browsers supported site isolation. But with site isolation widely deployed -- Chrome has it on by default, and as I understand it, Firefox is going to enable it by default soon. And other seccomp users (like sshd or systemd) probably don't really need it. Given that it's not clear the default heuristic is still a good idea."
Besides web browsers using SECCOMP for sandboxing some processes, it is also used by the likes of Docker, VSFTPD, Flatpak, LXD, and many other Linux processes. To reiterate though no out-of-the-box change in mitigation behavior besides allowing SECCOMP processes to opt-out if they choose to do so.
Kleen's patch was volleyed yesterday but so far hasn't received any feedback. We'll keep monitoring to see if this change gets accepted for the forthcoming Linux 5.7 cycle."
https://www.phoronix.com/scan.php?page=news_item&px=SECCOMP-Opt-Out-SSBD
