Seth Arnold <seth.arn...@canonical.com> writes: > On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote:
>> but should be much easier to maintain, and would probably also make it >> easier to switch to a syscall-set-confining library if such a thing >> exists in the future. > Would a version of OpenBSD's pledge() system call have looked appealing to > you, if it were implemented as a library interface around seccomp? There's > already roughly two dozen categories, though not all may translate well to > seccomp's abilities. > https://man.openbsd.org/pledge.2 It's certainly better than listing system calls individually, so it would be useful! I think whether this or systemd's groupings are more useful depends somewhat on the use case. At a quick glance, I think I would more often prefer systemd's approach to OpenBSD's (the groupings seem more useful), but there are a few places where I could see it going the other way, and there are places where OpenBSD is usefully more granular. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
