Re: RFC: Network privilege separation.

[Andi Kleen]

On Mon, Jan 12, 2009 at 10:30:25PM +0200, Rémi Denis-Courmont wrote:
> Le lundi 12 janvier 2009 22:39:31 Andi Kleen, vous avez écrit :
> > > What's the point of writing a parser (that could also have bugs) when the
> >
> > Sorry you lost me. What do you mean with parser here?
> >
> > > kernel can do it?
> >
> > And what does it have to do with the kernel?
> 
> The parser at the other end of the pipe. The more intricate the over-the-pipe 
> protocol is, the more likely it is to be buggy and the security scheme to 
> break.

That would be very little code that would also not 
change very often so that it could be probably effectively
audited.

> > Yes it would be somewhat slower, but if it avoids a couple of security
> > updates that would be probably worth it.
> 
> If codecs did not care about performance, they'd be written in some high-level 
> language that could easily be sandboxed by its own VM.

I don't think using a full JIT is anywhere comparable in 
performance impact to adding two cache hot copies to 
otherwise fully optimized code.

> 
> As the guy who's been dealing with VLC security issues for the past two years, 
> I have to say, I am in no way interested in SECCOMP as it _currently_ is.

Fair point, although I'm afraid you didn't do a very good
job explaining your reasons, so it sounds like a 
quite arbitary decision.

-Andi

-- 
ak@xxxxxxxxxxxxxxx -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/