View Single Post
  #2   (View Single Post)  
Old 30th July 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
To what extend could linux binary emulation when enabled weaken OpenBSD security ?
There are two different parts to your question.
  • The first involves the Linux emulation layer itself. This is written by OpenBSD developers which goes through the same commit process as any other piece of code checked into CVS.

    Because the Linux filesystem layout is different from OpenBSD's, the emulation layer will not be able to fully mimic the Linux environment. Study hier(7) on both platforms to see the differences.

    The real question is how much is emulation tested. I cannot answer this question. I do not know its limitations.

    In recent years, keeping the Linux emulation layer up to date hasn't been as important as it may have been 5+ years ago now that more applications are available natively in the packages/ports system, so support of newer Linux kernel calls in the emulation layer hasn't stayed in synch with more recent releases of the Linux kernel. However, I have seen a number of CVS check-in's into OpenBSD's src tree before 5.2 was tagged showing an effort to keep the emulation layer current.

    Don't expect emulation layers to be perfect. They aren't. Bugs can & will exist for several different reasons. Some Linux binaries will run on OpenBSD fine. Others won't. To find out whether any particular Linux binary will run under emulation, try it yourself. Studying compat_linux(8) is a start.

    In the end, if you want perfect Linux emulation, run your Linux application on Linux.
  • Secondly, how well the application has been vetted is a question which has to be answered on an individual basis. You will need to ascertain this yourself.

    In comparison, third-party applications available officially in the OpenBSD ports tree are not as vetted as the base system itself, so you can equally question the trustworthiness of native applications as well.
In general when it comes to third-party applications, determine whether a native port is available in the ports tree. If one is, use it as the maintainer should have resolved all library & filesystem differences. If not, try the emulation layer if a Linux binary can be found. OpenBSD's emulation layer may or may not be sufficient for the application's needs.
Reply With Quote