Comment by guenthert

12 hours ago

While this is an interesting project, I found following grating:

"Permissions without root

You don’t need root. Grant capabilities to SBCL:

sudo setcap cap_bpf,cap_perfmon+ep /usr/bin/sbcl

Now sbcl --load my-bpf-program.lisp works as your regular user. Tracepoint format files need chmod a+r to allow non-root compilation with deftracepoint."

That's obviously not ideal. Better might be to create a purpose-built image. Unlike perl, sbcl doesn't even pretend to care about security. Taint mode extension for sbcl, anybody?

2 comments

guenthert

Reply
phoe-krk  11 hours ago

> Unlike perl, sbcl doesn't even pretend to care about security.

Mind expanding? What particular stuff does Perl have in terms of security here?

  • tmtvl  10 hours ago

    A lot, to the point where there's an entire security page in perldoc: <https://perldoc.perl.org/perlsec>

    I wonder if a taint mode for SBCL would mean ignoring SBCL_HOME... that'd be a bit annoying for running more up-to-date SBCL versions on distros shipping with older versions.