On 02/28/2018 02:56 PM, Daniel Borkmann wrote:
On 02/28/2018 12:55 AM, chris hyser wrote:
If you're implying that because seccomp would have it's own verifier and could therefore restrict itself to a subset of eBPF,
therefore any future additions/features to eBPF would not necess
On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, chris
hyser wrote:
On 02/27/2018 11:00 AM, Kees Cook wrote:
On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote:
On 02/26/2018 11:38 PM, Kees Cook wrote:
On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski
wrot
On 02/27/2018 04:58 PM, Daniel Borkmann wrote:
On 02/27/2018 05:59 PM, chris hyser wrote:
On 02/27/2018 11:00 AM, Kees Cook wrote:
On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote:
On 02/26/2018 11:38 PM, Kees Cook wrote:
On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski
wrote:
3
On 02/27/2018 02:19 PM, Kees Cook wrote:
On Tue, Feb 27, 2018 at 8:59 AM, chris hyser wrote:
I will try to find that discussion. As someone pointed out here though, eBPF
A good starting point might be this:
https://lwn.net/Articles/441232/
Thanks. A fair amount of reading referenced there
On 02/27/2018 11:00 AM, Kees Cook wrote:
On Tue, Feb 27, 2018 at 6:53 AM, chris hyser wrote:
On 02/26/2018 11:38 PM, Kees Cook wrote:
On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski
wrote:
3. Straight-up bugs. Those are exactly as problematic as verifier
bugs in any other unprivileged
On 02/26/2018 11:38 PM, Kees Cook wrote:
On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote:
3. Straight-up bugs. Those are exactly as problematic as verifier
bugs in any other unprivileged eBPF program type, right? I don't see
why seccomp is special here.
My concern is more about unint
On 11/09/2017 01:05 PM, Serge E. Hallyn wrote:
Would the existing capability bounding set not suffice for that?
The 'permanent' bounding set turns out to not be a good fit for
the problem being discussed in this thread, but please feel free
to start a new thread if you want to discuss your use c
On 11/06/2017 10:23 PM, Serge E. Hallyn wrote:
I think I definately prefer what I mentioned in the email to Boris.
Basically a "permanent capability bounding set". The normal bounding
set gets reset to a full set on every new user_ns creation. In this
proposal, it would instead be set to the ca
