Adrian,
Am 21.03.2020 um 11:59 schrieb John Paul Adrian Glaubitz:
On 3/20/20 11:49 PM, Finn Thain wrote:
I suspect (without evidence) that many m68k systems are actually virtual
machines. And the need for container hosting on m68k seems negligible.
It isn't about security. It's about being able to build more packages
as some packages have started to make libseccomp support mandatory.
Is there a good technical reason for this decision? I suppose most of
these packages are not about VM or container hosting?
What about checking at runtime for availability of the library, and
disabling VM related functionality if it wasn't possible to load?
In the event that kernel support can't be avoided: I suppose there a git
commit for Helge's hppa changes that would help gauge the effort
required for implementing such support?
Cheers,
Michael
Therefore, there doesn't seem to be a lot of actual benefit from seccomp.
I disagree for the aforementioned reasons.
There are 17 architectures (out of 25) lacking seccomp support. This
suggests that the portability issue around this missing feature can't
easily be pinned on m68k.
The question is how many of these 17 architectures are actually supported
by Debian.
If you look at the build results for libseccomp in Debian, you can see that
alpha, ia64, m68k, sh and sparc64 are missing the feature, everyone else
supports it [1].
Adrian
[1] https://buildd.debian.org/status/package.php?p=libseccomp&suite=sid
