Web lists-archives.com

Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)




On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
> but should be much easier to maintain, and would probably also make it
> easier to switch to a syscall-set-confining library if such a thing
> exists in the future.

Would a version of OpenBSD's pledge() system call have looked appealing to
you, if it were implemented as a library interface around seccomp? There's
already roughly two dozen categories, though not all may translate well to
seccomp's abilities.

https://man.openbsd.org/pledge.2

Thanks

Attachment: signature.asc
Description: PGP signature