On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote:
Hello,
I've added libseccomp into packages. That library allows
programs to easily restrict the system calls they are allowed to use.
In turn that uses the kernel's seccomp filter. That's one of the most
reliable ways to restrict/sandbox processes into specific tasks which
cannot be overriden even in the event of code injection.
I've also enabled the ocserv package to use seccomp if configured to,
but in order for that protection to become meaningful for other
programs to use as well, it would also need the default kernel option to
enable seccomp filter.
It needs the kernel support to use the seccomp filter, but why is this so
critical that it must be enabled by default?
David Lang
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
