Hacker News new | past | comments | ask | show | jobs | submit login

Again, there is nothing special about a "system call", it's one of MANY entry points into the kernel. Counting them in isolation means nothing. And, again, Linux has historically been very careful to resist arbitrary subsystem-specific bloat in syscall variety. Almost all of its new kernel-exposed functionality uses other mechanisms (e.g. sysfs, new filesystems like cgroup, etc...) which are more auditable and amenable to userspace-managed authorization via stuff like filesystem permissions, chroot and containers.

And of course, as with everything else, virtually all this new functionality is modular. Don't want the system call (or whatever)? Don't put it in your kernel.

Basically: you're wrong here. Cite the specific functionality you think is being shipped in an insecure way.






>it's one of MANY entry points

Just because the kernel does things wrong all over the place, it doesn't mean having too many syscalls specifically is not itself wrong.

>Cite the specific functionality you think is being shipped in an insecure way.

The whole Linux kernel. Complexity in privileged code is cancer.

For an example of how to do a kernel properly, refer to seL4[0].

[0]: https://sel4.systems/About/seL4-whitepaper.pdf




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: