@kees_cook Can make a nice automated learning mode with support for learning parameter checks for ioctl, futex, etc. via TRACE too.
-
-
-
@kees_cook Stick one or more sandbox initialization points in the program, auto-learn the profiles for an architecture and then enforce. -
@CopperheadSec@securepaul Yeah, I'd love it if libseccomp had tools to do this. An automated version of https://outflux.net/teach-seccomp/ :) -
@kees_cook@securepaul There's a simple MIT-licensed auto-learning implementation in https://github.com/thestinger/playpen …. Doesn't trace children yet. -
@CopperheadSec@kees_cook Thanks, auto-learn functionality is on my wishlist. Interested in working on merge into libseccomp? -
@securepaul@kees_cook Yes, definitely. Need to teach it to trace children of the traced child though. Had trouble making it robust. -
@CopperheadSec@kees_cook Great! The API might be tricky, but we'll figure it out. Also need to make sure it works the same on all arches. -
@securepaul@CopperheadSec https://github.com/dimkr/libwaive Oh look, already written. :P
End of conversation
New conversation -
-
-
@kees_cook We have talked about doing something like this in libseccomp but I've delayed due to concerns over the "right" groupings -
@securepaul yeah, and getting some meaningful separations for things like DNS and temp files sure would be nice. :) -
@kees_cook Agreed, but as you said, arg inspection is needed. Regardless, providing a higher-level grouping should be a "win".
End of conversation
New conversation -
-
-
@kees_cook yeah I started working on an implementation back when it was called tame(). You can get really close with existing kernels -
@kees_cook I haven't looked at eBPF, but pledge() wants to do things like compare paths that (I thought) seccomp can't do easily -
@geofft Yeah, I discuss arg inspection in the blog post. OpenBSD has some other interesting advantages too (SOCK_DNS). -
@kees_cook oops, read too fast! cool!
End of conversation
New conversation -
-
-
@kees_cook I would love to see a pledge() like implementation on Linux, based on the good work done by#OpenBSD.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@kees_cook his one-line dismissal of SELinux was pretty inane, even if we pretend SEAndroid doesn't exist.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@kees_cook@damienmiller thanks; i don't suppose there is a video theo's presentation too?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.