seccomp tangle

[ASSI]

Richard Laager via devel writes:
> I do not. It seems really fragile to me. A change in an underlying
> library can break a working binary, possibly only in some scenarios.
> That's scary.

It's also somewhat the point of using it: any un-audited change rather
breaks the application than the system.  :-)

> It'd be safer (but still not completely safe) to enable if I had good
> (or any) "as installed" tests using Debian's autopkgtest, but I do not.
>
> I'm open to enabling it, but it's also unclear how much benefit it
> provides. What is it protecting the user from? How much value does it
> add if I'm already using AppArmor?

AppArmor is providing something like a chroot/jail environment without
having to actually set one up.  Different target, seccomp forbids the
use of certain kernel facilities, AppArmor/jail/chroot forbids the use
of certain capabilities and locations of the filesystem.  Any of these
things protect the system (or certain parts of it), the user gets
protected only indirectly if at all.

If you really want to go full length, set up a system with SELinux in
enforcing mode and a suitably restrictive policy.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada