droproot, seccomp

[ASSI]

Hal Murray via devel writes:
> I'm working on a way to semi-automate generating the list.  The basic idea is 
> to run ntpd under strace on the type of system you are interested in to 
> collect a lot of data, then run a script to extract the list of syscalls from 
> the strace log file.

If you don't also ensure that you have near 100% of coverage of the
possible code paths during data collection (which you likely won't just
running the code, given that all the exception handling code will
unlikely to get run), that becomes a fools errand.  As Richard
mentioned, as any libraries ntpsec uses change, the list of syscalls
they use would change, too.  So each list would actually be valid only
for a very specific set of configuration options and library versions.

At least under Linux, you'd better trace kernel calls with ftrace, not
strace.  The newer kernels should have dtrace-like capabilities to
tailor your probes.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada