Seccomp tangle
Eric S. Raymond
esr at thyrsus.com
Wed May 27 00:38:55 UTC 2020
Hal Murray via devel <devel at ntpsec.org>:
>
> I've been experimenting with some code to allow custom scccomp lists.
>
> The idea is to replace the --enable-seccomp configure option with
> --enable-seccomp=foo
> and ntp_sandbox would include syscomp/foo.c which would be a list of syscalls
> used by this system.
>
> I assume we would maintain a list for each OS/distro/version/hardware
> combination that we are interested in. I have a few scripts that turn strace
> output into a list. ...
>
> Is this interesting? If not, I'll drop it.
>
> If yes, I'll need some help to work out the details.
Aaarrgghhh. It;s a huge pain in the ass and I wish it weren't interesting.
But given our mission statememnnt, it has to be.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel
mailing list