Re: seccomp jailing for applications
Seth Arnold <seth.arnold@canonical.com> writes:
> On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
>> but should be much easier to maintain, and would probably also make it
>> easier to switch to a syscall-set-confining library if such a thing
>> exists in the future.
> Would a version of OpenBSD's pledge() system call have looked appealing to
> you, if it were implemented as a library interface around seccomp? There's
> already roughly two dozen categories, though not all may translate well to
> seccomp's abilities.
> https://man.openbsd.org/pledge.2
It's certainly better than listing system calls individually, so it would
be useful!
I think whether this or systemd's groupings are more useful depends
somewhat on the use case. At a quick glance, I think I would more often
prefer systemd's approach to OpenBSD's (the groupings seem more useful),
but there are a few places where I could see it going the other way, and
there are places where OpenBSD is usefully more granular.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: