droproot, seccomp
James Browning
jamesb.fe80 at gmail.com
Tue Feb 25 21:00:00 UTC 2020
On Tue, Feb 25, 2020, 7:37 AM Richard Laager via devel <devel at ntpsec.org>
wrote:
> On 2/24/20 11:02 PM, Hal Murray via devel wrote:
> > I'm looking at strace output. There are a few calls used only once or
> twice.
> >
> > It seems obvious that we should drop root as early as possible. But
> it's not
> > obvious that we should enable seccomp early.
> >
> > If we turn on seccomp early, then we have to allow all the syscalls used
> > during initialization so a bad guy could use them too.
> >
> > So what are we worried about? What is seccomp trying to protect
> against?
> > Bugs in our initialization code before we start exchanging packets, or
> bugs in
> > the mainline code after initialization when the bad guys get to send us
> > packets?
>
> I'd say the latter.
>
Is there anything preventing the possibility of an early looser
seccomp setup and then tightening it later possibly with a knob
to generate terse or verbose warnings instead of dying.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200225/87f4ce12/attachment.htm>
More information about the devel
mailing list