iirc I think that the BPF JIT is disabled by default? Your kernel might be compiled with `CONFIG_BPF_JIT`, but I think the sysctl knob (`bpf_jit_enable`) is set to 0 by default. Also there's a sysctl for unprivileged BPF called `unprivileged_bpf_disabled`. On my system it seems to default to 0.

https://elixir.free-electrons.com/linux/v4.15-rc6/source/ker...

Text and patch start here: https://lkml.org/lkml/2018/1/3/780

Also, see Linus' response here: https://lkml.org/lkml/2018/1/3/797

Ahh Linus, never change.

Discussed at https://news.ycombinator.com/item?id=16066968

Seems healthy leaving it to the user.

There's some kind of bind here between "putting burden on end-users" and "putting burden on application developers." Either you (a) ship $LSM with some defaults that are necessarily general (so as to avoid breaking applications) and let the user fit filters to their circumstances, or; (b) push for developers to write/maintain filters baked into their applications (ie. using some kernel features like `seccomp` and what-have-you).

seccomp and LSMs do different (and complementary) things.

How so? I understand they're different, but I thought there was some overlap. Don't LSMs work by hooking syscalls anyway?

Seccomp can only disable syscalls. LSMs are more nuanced. Three most important difference is that it is easy to check if seccomp is available and the policy is not kept in or on a file.

I was under the impression that seccomp was a bit more flexible (via ptrace() and BPF fanciness) - although I guess you'd need other co-operating processes in userspace? I've only played around with it a tiny bit.

Also, both kinds of policy are resident in files. I don't understand your point there.

It is flexible to an extent, but you still can't e.g. deference a pointer to a struct passed as an argument. And that's where much of the interesting detail is for many calls.

Thanks for the clarification, although I recall messing with eBPF and kprobes before - pretty sure you can dereference pointers?

editx2: Oh, guess seccomp doesn't use eBPF yet? Suppose that raises a bunch of questions about permissions necessary for specifying programs that might dereference kernel pointers and such by emitting `bpf()` calls.

Huh, didn't know that Debian was missing ASLR. Any idea about the reasoning there?

What makes you think debian is missing ASLR?

> Update: they just managed to get this done with stretch, released 4 months ago! That's only like 7 years late for a crucial actual security feature)

Dunno, taking @revelation's word for it? Mentioned they were missing it. It sounds funny to me though. I'm not a Debian user.

edit: The Debian page on security features confuses me (https://wiki.debian.org/Security/Features).

I can't tell. If you remember they became a platinum member of the Linux Foundation last year too.

Ah, this is neat! Would be nice to have a script for this that you could just point at a local copy of the source tree too!

Love Graphviz, been using it for some time now. It's kind of painful rendering large graphs. Does anyone know the particular reason why `dot` and friends only seem to take advantage of one CPU core when drawing graphs? Multi-threading unimplemented? - or impossible to implement for some reason?

Sounds about right, 'dot' is about as old as the hills, so it probably wasn't an issue back in the day.

It applies to Macs. I think AMT is just one particular application/feature of ME. ME is a piece of hardware on Intel chipsets.