Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: > On Jul 27, 2014 5:06 PM, "Theodore Ts'o" <tytso@xxxxxxx> wrote: >> >> On Fri, Jul 25, 2014 at 11:30:48AM -0700, Andy Lutomirski wrote: >> > >> > There is recent interest in having a way to turn generally-available >> > kernel features off. Maybe we should add a good one so we can stop >> > bikeshedding and avoid proliferating dumb interfaces. >> >> I believe the seccomp infrastructure (which is already upstream) >> should be able to do most of what you want, at least with respect to >> features which are exposed via system calls (which was most of your >> list). > > Seccomp can't really restrict lookups of non-self pids. In fact, this > feature idea started out as a response to a patch adding a kind of > nasty seccomp feature to make it sort of possible. > > I agree that that seccomp can turn off GRND_RANDOM, but how is it > supposed to do it in such a way that the filtered software will fall > back to something sensible? -ENOSYS? -EPERM? Something else? > > I think that -ENOSYS is clearly wrong, but standardizing this would be > nice. Admittedly, adding something fancy like this for GRND_RANDOM > may not be appropriate. Andy you seem to be arguing here for two system calls. get_urandom() and get_random(). Where get_urandom only blocks if there is not enough starting entropy, and get_random(GRND_RANDOM) blocks if there is currently not enough entropy. That would allow -ENOSYS to be the right return value and it would simply things for everyone. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html