From: Michael Kerrisk <mtk.manpages@gmail.com> To: Andy Lutomirski <luto@amacapital.net> Cc: Kees Cook <keescook@chromium.org>, Linux API <linux-api@vger.kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Oleg Nesterov <oleg@redhat.com>, James Morris <james.l.morris@oracle.com>, Stephen Rothwell <sfr@canb.auug.org.au>, "David S. Miller" <davem@davemloft.net>, LKML <linux-kernel@vger.kernel.org>, Will Drewry <wad@chromium.org>, Julien Tinnes <jln@google.com>, Alexei Starovoitov <ast@plumgrid.com>, Michael Kerrisk-manpages <mtk.manpages@gmail.com> Subject: Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Date: Tue, 3 Jun 2014 12:12:27 +0200 [thread overview] Message-ID: <CAHO5Pa3F2MjfTtfNxa8LbnkeeU8=YJ+9tDqxZpw7Gz59E-4AUg@mail.gmail.com> (raw) In-Reply-To: <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA@mail.gmail.com> [Kees, thank you for CCing linux-api] On Tue, Jun 3, 2014 at 1:08 AM, Andy Lutomirski <luto@amacapital.net> wrote: > On Mon, Jun 2, 2014 at 4:05 PM, Kees Cook <keescook@chromium.org> wrote: >> I'd like to hear from other folks on this (akpm?). My instinct is to >> continue using prctl since that is already where mediation for seccomp >> happens. I don't see why prctl vs a new syscall makes a difference >> here, frankly. > > Aesthetics? There's a tendency for people to get annoyed at big > multiplexed APIs, and your patches will be doubly multiplexed. prctl() is already a Franken-interface that provides a mass of different, mostly completely unrelated, functionality. So, I wonder if it would be better not to make the situation worse. Furthermore, the very fact that the existing prctl seccomp API is being extended and multiplexed suggests that other extensions might be desirable further down the line, which also hints that a separate syscall would be a good idea. (Or do we have to wait until the prctl seccomp API is extended one more time, before we realize that a new system call would have been a good idea...) > TBH, I care more about the atomicity thing than about the actual form > of the API. User-space does not necessarily thank you for that perspective, Andy ;-). The atomicity thing is presumably fixable, regardless of the API. On the other hand, APIs are things that kernel developers design once and forget about, and user-space has to live with forever. Cheers, Michael
WARNING: multiple messages have this Message-ID (diff)
From: Michael Kerrisk <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>, Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, James Morris <james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>, Stephen Rothwell <sfr-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org>, "David S. Miller" <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>, LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, Julien Tinnes <jln-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>, Alexei Starovoitov <ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>, Michael Kerrisk-manpages <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Subject: Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Date: Tue, 3 Jun 2014 12:12:27 +0200 [thread overview] Message-ID: <CAHO5Pa3F2MjfTtfNxa8LbnkeeU8=YJ+9tDqxZpw7Gz59E-4AUg@mail.gmail.com> (raw) In-Reply-To: <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> [Kees, thank you for CCing linux-api] On Tue, Jun 3, 2014 at 1:08 AM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote: > On Mon, Jun 2, 2014 at 4:05 PM, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote: >> I'd like to hear from other folks on this (akpm?). My instinct is to >> continue using prctl since that is already where mediation for seccomp >> happens. I don't see why prctl vs a new syscall makes a difference >> here, frankly. > > Aesthetics? There's a tendency for people to get annoyed at big > multiplexed APIs, and your patches will be doubly multiplexed. prctl() is already a Franken-interface that provides a mass of different, mostly completely unrelated, functionality. So, I wonder if it would be better not to make the situation worse. Furthermore, the very fact that the existing prctl seccomp API is being extended and multiplexed suggests that other extensions might be desirable further down the line, which also hints that a separate syscall would be a good idea. (Or do we have to wait until the prctl seccomp API is extended one more time, before we realize that a new system call would have been a good idea...) > TBH, I care more about the atomicity thing than about the actual form > of the API. User-space does not necessarily thank you for that perspective, Andy ;-). The atomicity thing is presumably fixable, regardless of the API. On the other hand, APIs are things that kernel developers design once and forget about, and user-space has to live with forever. Cheers, Michael
next prev parent reply other threads:[~2014-06-03 10:12 UTC|newest] Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-05-22 23:05 [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Kees Cook 2014-05-22 23:05 ` [PATCH v5 1/6] seccomp: create internal mode-setting function Kees Cook 2014-05-22 23:05 ` [PATCH v5 2/6] seccomp: split filter prep from check and apply Kees Cook 2014-05-22 23:05 ` [PATCH v5 3/6] seccomp: introduce writer locking Kees Cook 2014-05-23 0:28 ` Alexei Starovoitov 2014-05-23 8:49 ` Peter Zijlstra 2014-05-23 21:05 ` Kees Cook 2014-05-22 23:05 ` [PATCH v5 4/6] seccomp: move no_new_privs into seccomp Kees Cook 2014-05-22 23:08 ` Andy Lutomirski 2014-05-22 23:05 ` [PATCH v5 5/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_FILTER Kees Cook 2014-05-22 23:05 ` [PATCH v5 6/6] seccomp: add SECCOMP_EXT_ACT_TSYNC and SECCOMP_FILTER_TSYNC Kees Cook 2014-05-22 23:11 ` Andy Lutomirski 2014-05-23 17:05 ` Kees Cook 2014-05-26 19:27 ` Andy Lutomirski 2014-05-27 18:24 ` Kees Cook 2014-05-27 18:40 ` Andy Lutomirski 2014-05-27 18:45 ` Kees Cook 2014-05-27 19:10 ` Andy Lutomirski 2014-05-27 19:23 ` Kees Cook 2014-05-27 19:27 ` Andy Lutomirski 2014-05-27 19:55 ` Kees Cook 2014-06-02 20:53 ` Andy Lutomirski 2014-06-03 0:14 ` Kees Cook 2014-06-03 0:29 ` Andy Lutomirski 2014-06-03 1:09 ` Kees Cook 2014-06-03 1:15 ` Andy Lutomirski 2014-06-03 19:53 ` Kees Cook 2014-06-02 19:47 ` [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Kees Cook 2014-06-02 19:59 ` Andy Lutomirski 2014-06-02 20:06 ` Kees Cook 2014-06-02 21:17 ` Andy Lutomirski 2014-06-02 23:05 ` Kees Cook 2014-06-02 23:08 ` Andy Lutomirski 2014-06-02 23:08 ` Andy Lutomirski 2014-06-03 10:12 ` Michael Kerrisk [this message] 2014-06-03 10:12 ` Michael Kerrisk 2014-06-03 23:47 ` Julien Tinnes
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAHO5Pa3F2MjfTtfNxa8LbnkeeU8=YJ+9tDqxZpw7Gz59E-4AUg@mail.gmail.com' \ --to=mtk.manpages@gmail.com \ --cc=akpm@linux-foundation.org \ --cc=ast@plumgrid.com \ --cc=davem@davemloft.net \ --cc=james.l.morris@oracle.com \ --cc=jln@google.com \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=oleg@redhat.com \ --cc=sfr@canb.auug.org.au \ --cc=wad@chromium.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.