[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
James Morris
jmorris at namei.org
Fri May 13 10:18:52 EST 2011
On Thu, 12 May 2011, Ingo Molnar wrote:
> Funnily enough, back then you wrote this:
>
> " I'm concerned that we're seeing yet another security scheme being designed on
> the fly, without a well-formed threat model, and without taking into account
> lessons learned from the seemingly endless parade of similar, failed schemes. "
>
> so when and how did your opinion of this scheme turn from it being an "endless
> parade of failed schemes" to it being a "well-defined and readily
> understandable feature"? :-)
When it was defined in a way which limited its purpose to reducing the
attack surface of the sycall interface.
- James
--
James Morris
<jmorris at namei.org>
More information about the Linuxppc-dev
mailing list