New release?
15 views
Skip to first unread message
Alyssa Ross
Jul 10, 2025, 6:43:56 AMJul 10
to Jorge Lucangeli Obes, mini...@chromium.org
Hi — with the secure bits fix, it'd be nice to get a new linux- release
so that distros don't have to backport the fix when they update
linux-headers.
BTW: won't the same problem recur next time secure bits are added?
Wouldn't it be better for minijail to only request secure bits it knows
about?
so that distros don't have to backport the fix when they update
linux-headers.
BTW: won't the same problem recur next time secure bits are added?
Wouldn't it be better for minijail to only request secure bits it knows
about?
Mike Frysinger
Jul 10, 2025, 1:02:08 PMJul 10
to Alyssa Ross, Jorge Lucangeli Obes, mini...@chromium.org
sure, tagged the latest commit since the repo's been pretty quiet for a bit
https://chromium.googlesource.com/chromiumos/platform/minijail/+/refs/tags/linux-v2025.07.02should show up on GH in the next 24hrs automatically if you want to fetch an archive
-mike
--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/minijail/87wm8gba1m.fsf%40alyssa.is.
Jorge Lucangeli Obes
Jul 10, 2025, 5:31:45 PMJul 10
to Alyssa Ross, Mike Frysinger, mini...@chromium.org
On Thu, Jul 10, 2025 at 10:02 AM Mike Frysinger <vap...@chromium.org> wrote:
sure, tagged the latest commit since the repo's been pretty quiet for a bithttps://chromium.googlesource.com/chromiumos/platform/minijail/+/refs/tags/linux-v2025.07.02should show up on GH in the next 24hrs automatically if you want to fetch an archive-mikeOn Thu, Jul 10, 2025 at 4:43 AM Alyssa Ross <h...@alyssa.is> wrote:Hi — with the secure bits fix, it'd be nice to get a new linux- release
so that distros don't have to backport the fix when they update
linux-headers.
BTW: won't the same problem recur next time secure bits are added?
Wouldn't it be better for minijail to only request secure bits it knows
about?
Good question. Two thoughts:
1-securebits don't get added very often. Linux had the initial three securebits for the longest time and then SECBIT_NO_CAP_AMBIENT_RAISE was added.
2-Our view was always that Minijail should try to follow the principle of least surprise. From that perspective, only locking a subset of the securebits would be surprising.
Alyssa Ross
Jul 13, 2025, 2:04:54 PMJul 13
to Jorge Lucangeli Obes, Mike Frysinger, mini...@chromium.org
Jorge Lucangeli Obes <jor...@chromium.org> writes:
> 2-Our view was always that Minijail should try to follow the principle of
> least surprise. From that perspective, only locking a subset of the
> securebits would be surprising.
For me, functionality changing with a kernel headers update (which is
> 2-Our view was always that Minijail should try to follow the principle of
> least surprise. From that perspective, only locking a subset of the
> securebits would be surprising.
supposed to be backwards compatible), even when it doesn't result in a
crash, is substantially more surprising!
Reply all
Reply to author
Forward
0 new messages