New blog post outlining the implementation of Seccomp and Seccomp-BPF https://illogicalexpressions.com/linux/2016/08/31/seccomp-and-seccomp-bpf.html …
might make sense to point readers to libseccomp, which can generate seccomp filters and takes care of things like the arch check
-
-
good points, thanks for the feedback. Will update the LD_PRELOAD section with your warning, any suggestions on how to do it better?
-
normally, restrictive seccomp policies are used by services to sandbox themselves, not like this - binaries are usually trusted.
- 4 more replies
New conversation -
-
-
probably best to say it's not meant to be used in this way then. Cheers for the input
-
afaik usual usage are "(trusted) binary sandboxes itself" and "a whole container is sandboxed" (execve must be permitted anyway)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.