Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
From: Andrew Shadura <andrew@shadura.me>
Date: Fri, 1 Dec 2017 12:05:20 +0100
Message-id: <[🔎] CACujMDM5uAoTa5xWvvmMMFEC4xhOZWrJGrornp-dR1c2-385jQ@mail.gmail.com>
In-reply-to: <[🔎] 20171201104554.wxvdenqxmndtyihm@riva.ucam.org>
References: <20171128185445.GA5602@lst.de> <20171128230308.GB769@bongo.bofh.it> <18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us> <87609tg1d1.fsf@hope.eyrie.org> <20171129072514.GA31212@chew> <f959b121-7b92-5f18-f91e-d8c9a2581a9a@gmail.com> <87efogcztt.fsf_-_@hope.eyrie.org> <[🔎] 20171201003506.4nd7q2sjvamylu3n@riva.ucam.org> <[🔎] 20171201012944.pdml3xtkqivj4zaf@riva.ucam.org> <[🔎] 20171201031843.GE17499@hunt> <[🔎] 20171201104554.wxvdenqxmndtyihm@riva.ucam.org>

On 1 December 2017 at 11:45, Colin Watson <cjwatson@debian.org> wrote:
> On Thu, Nov 30, 2017 at 07:18:43PM -0800, Seth Arnold wrote:
>> On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
>> > but should be much easier to maintain, and would probably also make it
>> > easier to switch to a syscall-set-confining library if such a thing
>> > exists in the future.
>>
>> Would a version of OpenBSD's pledge() system call have looked appealing to
>> you, if it were implemented as a library interface around seccomp? There's
>> already roughly two dozen categories, though not all may translate well to
>> seccomp's abilities.
>>
>> https://man.openbsd.org/pledge.2
>
> Something like that, yes; maybe something like "stdio rpath flock proc
> exec" in man-db's case, although I'm sure that would need some tweaking.
>
> It's nice to be able to say "these sets, plus this handful of additional
> syscalls", which pledge can't do.
>
> Also, I'm very glad that seccomp persists across execve(2); I much
> prefer this to the pledge model.

How about https://notabug.org/rain1/linux-seccomp-pledge/?

-- 
Cheers,
  Andrew

Reply to:

Follow-Ups:
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>

References:
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Seth Arnold <seth.arnold@canonical.com>
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Automatic downloading of non-free software by stuff in main
Next by Date: Re: Debian Stretch new user report (vs Linux Mint)
Previous by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Next by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Index(es):
- Date
- Thread