New blog post outlining the implementation of Seccomp and Seccomp-BPF https://illogicalexpressions.com/linux/2016/08/31/seccomp-and-seccomp-bpf.html …
-
-
Replying to @ajxchapman @noxrnet
might make sense to point readers to libseccomp, which can generate seccomp filters and takes care of things like the arch check
2 replies 0 retweets 0 likes -
Replying to @tehjh
good points, thanks for the feedback. Will update the LD_PRELOAD section with your warning, any suggestions on how to do it better?
1 reply 0 retweets 0 likes -
Replying to @ajxchapman @noxrnet
normally, restrictive seccomp policies are used by services to sandbox themselves, not like this - binaries are usually trusted.
1 reply 0 retweets 0 likes -
if you really want to do it, afaik you can ptrace the child with PTRACE_O_{TRACEEXEC,EXITKILL} and inject syscalls (mmap, seccomp).
1 reply 0 retweets 0 likes -
less reliable alternative would be to whitelist execveat(<fd>,*,*,*,AT_EMPTY_PATH) and block close/dup2/dup3 on <fd>, I guess.
1 reply 0 retweets 0 likes -
another alternative: create new mount namespace with just an empty inaccessible tmpfs, whitelist execveat, use O_CLOEXEC.
2 replies 0 retweets 0 likes
note that with the non-tmpfs options, the binary could still make the kernel access arbitrary paths, e.g. via the interpreter path
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.