Please CC me in the responses, as I'm not subscribed to the list. Regards.
On Sun, Jan 21, 2018 at 8:57 PM, David Sastre <[email protected]> wrote: > Hello, > > I have been recently playing around with seccomp and the coreutils source > code and was wondering about the feasibility of implementing seccomp > filters in the tools. > The main benefit for the project would be offering the possibility of > reducing exploitability by reducing the system calls a program might make, > using a whitelist. > Searching the mail archives of the project for discussions around this > topic has not been fruitful, hence my asking. > > I have tested locally with some of the easiest examples possible (true and > echo) and a, quite possibly, very naive implementation; but it seems to > work as expected. > If I where to put some effort in this, and provided this functionality is > made explicitly GNU/Linux dependant and optional, would there be interest > from the group? I would most probably require assistance with the autotools > changes required, not to mention code review. > My main inspiration for this request is the OpenBSD pledge()[1] syscall, > which is applied to the base system (containing most of the equivalent > tools in GNU/Linux land). You can check an example[2] on the 'echo' tool > source code. > > Regards and thanks in advance for any feedback, I would love to hear from > the devs even in the case this request is considered not useful. > > [1] https://man.openbsd.org/pledge.2 > [2] https://github.com/openbsd/src/blob/master/bin/echo/echo.c >
