Re: seccomp jailing for applications

To: debian-devel@lists.debian.org
Subject: Re: seccomp jailing for applications
From: Russ Allbery <rra@debian.org>
Date: Thu, 30 Nov 2017 21:05:23 -0800
Message-id: <[🔎] 87r2sfjawc.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20171201031843.GE17499@hunt> (Seth Arnold's message of "Thu, 30 Nov 2017 19:18:43 -0800")
References: <20171123144310.gac6zwqysfzdsh3i@exolobe3> <20171128185445.GA5602@lst.de> <20171128230308.GB769@bongo.bofh.it> <18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us> <87609tg1d1.fsf@hope.eyrie.org> <20171129072514.GA31212@chew> <f959b121-7b92-5f18-f91e-d8c9a2581a9a@gmail.com> <87efogcztt.fsf_-_@hope.eyrie.org> <[🔎] 20171201003506.4nd7q2sjvamylu3n@riva.ucam.org> <[🔎] 20171201012944.pdml3xtkqivj4zaf@riva.ucam.org> <[🔎] 20171201031843.GE17499@hunt>

Seth Arnold <seth.arnold@canonical.com> writes:
> On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:

>> but should be much easier to maintain, and would probably also make it
>> easier to switch to a syscall-set-confining library if such a thing
>> exists in the future.

> Would a version of OpenBSD's pledge() system call have looked appealing to
> you, if it were implemented as a library interface around seccomp? There's
> already roughly two dozen categories, though not all may translate well to
> seccomp's abilities.

> https://man.openbsd.org/pledge.2

It's certainly better than listing system calls individually, so it would
be useful!

I think whether this or systemd's groupings are more useful depends
somewhat on the use case.  At a quick glance, I think I would more often
prefer systemd's approach to OpenBSD's (the groupings seem more useful),
but there are a few places where I could see it going the other way, and
there are places where OpenBSD is usefully more granular.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Seth Arnold <seth.arnold@canonical.com>

Prev by Date: Re: seccomp jailing for applications
Next by Date: Re: Automatic downloading of non-free software by stuff in main
Previous by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Next by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Index(es):
- Date
- Thread