New blog post outlining the implementation of Seccomp and Seccomp-BPF https://illogicalexpressions.com/linux/2016/08/31/seccomp-and-seccomp-bpf.html …
another alternative: create new mount namespace with just an empty inaccessible tmpfs, whitelist execveat, use O_CLOEXEC.
-
-
note that with the non-tmpfs options, the binary could still make the kernel access arbitrary paths, e.g. via the interpreter path
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
thanks, I'll look into those. I'd considered execve, but dismissed it due to the obvious loop hole, didn't think of execveat.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.