On Wed, 24 Jan 2018 09:37:05 +0100 > To my understanding, Linux traditionally tried to aim for the security goal > of avoiding information leaks *between* users[+], probably even between > processes of the same user. It wasn't a guarantee, and there always were Not between processes of the same user in general (see ptrace or use gdb). > (and will be) information leaks -- and that is where additional safeguards > such as seccomp come into play, which reduce the attack surface against seccomp is irrelevant on many processors (see the Armageddon paper). You can (given willing partners) transfer data into and out of a seccomp process at quite a respectable rate depending upon your hardware features. > I am a bit worried whether this is a sign for a shift in the security goals. > I fully understand that there might be processes (e.g. some[?] kernel > threads) and users (root) which you need to trust anyway, as they can dumpable is actually very useful but only in a specific way. The question if process A is dumpable by process B then there is no meaningful protection between them and you don't need to do any work. Likewise if A and B can dump each other and are both running on the same ht pair you don't have to worry about them attacking one another. In all those cases they can do it with ptrace already. [There's a corner case here of using BPF filters to block ptrace] Alan -- To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html