On Sun, Dec 25, 2016 at 11:15:12 +0000, Ben Hutchings wrote: > I would like to make a couple of improvements to security features in > stable: > > 1. Add the option to disable unprivileged use of perf_event_open(). > This rwequires a small out-of-tree patch that we've carried in > unstable for some time. In unstable this is also enabled by > default, but I don't propose to do that in stable. > > 2. Enable seccomp (system call filtering) for ARM architectures > (armel, armhf, arm64). This is an architecture-dependent feature > that is enabled on all other release architectures. For arm64 this > requires a backport; for the others it's just a config change. > This expands the size of armel images by about 1K. > > Are these suitable for a stable update? > No objection from me. I assume you'll make sure the arm64 seccomp backport is tested early enough (assuming that work hasn't already been done) so we can still disable it if needed for this point release?
Cheers, Julien
