Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13




On 2017-11-29 09:25, Jonathan Dowland wrote:
On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
My personal pet "I don't have time" project I'd love to see is extending
systemd units for as many services in Debian as possible to include
namespace restrictions and seccomp filter rules, which I think has good
parallel potential alongside an LSM for raising the default security
posture of Debian.  LSMs deal with per-file restrictions much more easily
than systemd's seccomp and namespace support, but the seccomp and
namespace support does a lot of other nice things that LSMs aren't as good
at.

Yes this would be excellent; a necessary prerequisite would be getting
more daemons (and cron-scheduled processes) shipping systemd units too.


Since mentioned, I would like that these daemons would implement seccomp filtering themselves, meaning like within application itself, using libeseccomp. Thy can fine-grain what thread what syscalls can make.

For example, some networking, parsing thread might not need execve() at all. Meanwhile, it might be needed for main or other thread to call some external application, but that can be later mediated with MAC, is it AppArmor, SELinux or whatever.