On Saturday 02 June 2012, Ben Hutchings wrote: > On Sat, 2012-06-02 at 16:23 +0200, Stefan Fritsch wrote: > > Package: linux-2.6 > > Severity: wishlist > > > > The seccomp filter code has this Linus' tree a while back and > > will be in 3.5. It's a very usefult security feature that would > > be very nice to have in wheezy. > > > > Is it possible to backport it or do you consider it to be too > > intrusive? > > I'm aware of this but haven't yet looked at how easy it would be to > backport. We would at least need no_new_privs as well.
FWIW, I done a backport of (hopefully) all the relevant commits. I have picked the debian/3.2.17 tag from git://anonscm.debian.org/kernel/linux-2.6.git as target because I was too lazy to get the current debian source from svn. Hopefully the differences are not too big. The result is at http://people.debian.org/~sf/seccomp-filter-backport/ . It compiles and the included seccomp-filter sample programs work. Of course, all the patches need review. And it's quite possible that I have overlooked some important pieces, too. Noteworthy conflicts: 3.5 seems to have some seccomp audit infrastructure that is not in 3.2. I have left this out and left the basic logging in, instead. The latter was removed from 3.5 in 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe. fb0fadf9b213f55ca9368f3edafe51101d5d2deb defines PTRACE_EVENT_SECCOMP to 7, which is used by PTRACE_EVENT_STOP in 3.2. I have used 8 instead. Does this look reasonable to include in wheezy even this close to the freeze? Cheers, Stefan -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206072257.42207...@sfritsch.de
