Hello, On Thu, Mar 21, 2019 at 01:43:35PM +0000, Luis Chamberlain wrote: > On Wed, Mar 20, 2019 at 03:01:12PM -0400, Andrea Arcangeli wrote: > > but > > that would be better be achieved through SECCOMP and not globally.'. > > That begs the question why not use seccomp for this? What if everyone > decided to add a knob for all syscalls to do the same? For the commit > log, why is it OK then to justify a knob for this syscall? That's a good point and it's obviously more secure because you can block a lot more than just bpf and userfaultfd: however not all syscalls have CONFIG_USERFAULTFD=n or CONFIG_BPF_SYSCALL=n that you can set to =n at build time, then they'll return -ENOSYS (implemented as sys_ni_syscall in the =n case). The point of the bpf (already included upstream) and userfaultfd (proposed) sysctl is to avoid users having to rebuild the kernel if they want to harden their setup without being forced to run all containers under seccomp, just like they could by setting those two config options "=n" at build time. So you can see it like allowing a runtime selection of CONFIG_USERFAULTFD and CONFIG_BPF_SYSCALL without the kernel build time config forcing the decision on behalf of the end user. Thanks, Andrea
