New blog post outlining the implementation of Seccomp and Seccomp-BPF https://illogicalexpressions.com/linux/2016/08/31/seccomp-and-seccomp-bpf.html …
normally, restrictive seccomp policies are used by services to sandbox themselves, not like this - binaries are usually trusted.
-
-
if you really want to do it, afaik you can ptrace the child with PTRACE_O_{TRACEEXEC,EXITKILL} and inject syscalls (mmap, seccomp).
-
less reliable alternative would be to whitelist execveat(<fd>,*,*,*,AT_EMPTY_PATH) and block close/dup2/dup3 on <fd>, I guess.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.