Re: How do we store/install apps?
- From: Alexander Larsson <alexl redhat com>
- To: Greg KH <gregkh linuxfoundation org>
- Cc: gnome-os-list <gnome-os-list gnome org>
- Subject: Re: How do we store/install apps?
- Date: Fri, 10 Oct 2014 15:12:23 +0200
On fre, 2014-10-10 at 05:49 -0700, Greg KH wrote:
On Fri, Oct 10, 2014 at 02:38:44PM +0200, Alexander Larsson wrote:
There will always be bugs, I said that because the kernel security team
treats this type of bug very seriously and will work to fix it wherever
found. You _should_ be able to rely on mounting an arbitrary filesystem
image with no issues.
Well, here is the thing. We're trying to (in the end) make a secure
sandbox here. The kernel is what supplies this sandbox, and the border
of the sandbox is the kernel syscall abi. There can obviously be bugs in
that abi that lets you get out of the sandbox, but I have decent trust
in it. However, by allowing app authors to push any bag of bits at the
kernel filesystem implementation makes the attack surface *much* larger,
and much less battle-tested. Sure, such bugs should be fixed, but until
they are I prefer that they are merely crashers when your usb stick has
been broken, rather than attack vectors for remote code.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]