Web lists-archives.com

Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)




On 1 December 2017 at 11:45, Colin Watson <cjwatson@xxxxxxxxxx> wrote:
> On Thu, Nov 30, 2017 at 07:18:43PM -0800, Seth Arnold wrote:
>> On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
>> > but should be much easier to maintain, and would probably also make it
>> > easier to switch to a syscall-set-confining library if such a thing
>> > exists in the future.
>>
>> Would a version of OpenBSD's pledge() system call have looked appealing to
>> you, if it were implemented as a library interface around seccomp? There's
>> already roughly two dozen categories, though not all may translate well to
>> seccomp's abilities.
>>
>> https://man.openbsd.org/pledge.2
>
> Something like that, yes; maybe something like "stdio rpath flock proc
> exec" in man-db's case, although I'm sure that would need some tweaking.
>
> It's nice to be able to say "these sets, plus this handful of additional
> syscalls", which pledge can't do.
>
> Also, I'm very glad that seccomp persists across execve(2); I much
> prefer this to the pledge model.

How about https://notabug.org/rain1/linux-seccomp-pledge/?

-- 
Cheers,
  Andrew