On Sat, 2016-12-31 at 17:59 +0100, Julien Cristau wrote: > On Sun, Dec 25, 2016 at 11:15:12 +0000, Ben Hutchings wrote: > > > I would like to make a couple of improvements to security features in > > stable: > > > > 1. Add the option to disable unprivileged use of perf_event_open(). > > This rwequires a small out-of-tree patch that we've carried in > > unstable for some time. In unstable this is also enabled by > > default, but I don't propose to do that in stable. > > > > 2. Enable seccomp (system call filtering) for ARM architectures > > (armel, armhf, arm64). This is an architecture-dependent feature > > that is enabled on all other release architectures. For arm64 this > > requires a backport; for the others it's just a config change. > > This expands the size of armel images by about 1K. > > > > Are these suitable for a stable update? > > > > No objection from me. I assume you'll make sure the arm64 seccomp > backport is tested early enough (assuming that work hasn't already been > done) so we can still disable it if needed for this point release? I've put off the arm64 secommp changes to the next point release as there isn't time to test now. Ben. -- Ben Hutchings All the simple programs have been written, and all the good names taken.
Attachment:
signature.asc
Description: This is a digitally signed message part