Web lists-archives.com

Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)




On Thu, Nov 30, 2017 at 07:18:43PM -0800, Seth Arnold wrote:
> On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
> > but should be much easier to maintain, and would probably also make it
> > easier to switch to a syscall-set-confining library if such a thing
> > exists in the future.
> 
> Would a version of OpenBSD's pledge() system call have looked appealing to
> you, if it were implemented as a library interface around seccomp? There's
> already roughly two dozen categories, though not all may translate well to
> seccomp's abilities.
> 
> https://man.openbsd.org/pledge.2

Something like that, yes; maybe something like "stdio rpath flock proc
exec" in man-db's case, although I'm sure that would need some tweaking.

It's nice to be able to say "these sets, plus this handful of additional
syscalls", which pledge can't do.

Also, I'm very glad that seccomp persists across execve(2); I much
prefer this to the pledge model.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]