droproot, seccomp
James Browning
jamesb.fe80 at gmail.com
Tue Feb 25 22:26:49 UTC 2020
On Tue, Feb 25, 2020, at 1:37 PM Eric S. Raymond <esr at thyrsus.com> wrote:
>
> James Browning via devel <devel at ntpsec.org>:
> > Is there anything preventing the possibility of an early looser
> > seccomp setup and then tightening it later possibly with a knob
> > to generate terse or verbose warnings instead of dying.
>
> That is a very interesting idea that I think deserves further
> examination.
>
> Do you have an implementation strategy in mind?
Not really, I thought any adding of knobs would wind up on
your list and get dropped. As for the seccomp filter, it
would probably involve taking the seccomp code out of ntpd/
ntp_sandbox:sandbox and into a function that could be called
once (or twice) with an argument for how early it is being
called. If it is being called earlier start the loop at 0
and otherwise at 3+. I should probably code a toy version
and see if the idea works.
Maybe the hypothetical knob could be called seccompwarn.
More information about the devel
mailing list