On Jan 19, 2016 7:41 AM, "Colin Walters" <walt...@verbum.org> wrote: > > > > On Tue, Jan 19, 2016, at 04:16 AM, Nikos Mavrogiannopoulos wrote: > > > The issue is that blacklists are terrible from a security standpoint. > > That means that every new obscure system call added to the kernel will > > be available by default in your program. > > https://github.com/seccomp/libseccomp/issues/11
One of these days I need to tidy up Sandstorm's seccomp policy and factor it into its own library. It's made a good showing for itself over the last year or so, and it's highly compatible. --Andy
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
