[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
James Morris
jmorris at namei.org
Tue May 17 12:24:34 EST 2011
On Mon, 16 May 2011, Ingo Molnar wrote:
> > Not really.
> >
> > Firstly, what is the security goal of these restrictions? [...]
>
> To do what i described above? Namely:
>
> " Sandboxed code should only be allowed to open files in /home/sandbox/, /lib/
> and /usr/lib/ "
These are access rules, they don't really describe a high-level security
goal. How do you know it's ok to open everything in these directories?
- James
--
James Morris
<jmorris at namei.org>
More information about the Linuxppc-dev
mailing list