[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
James Morris
jmorris at namei.org
Tue May 17 23:29:36 EST 2011
On Tue, 17 May 2011, Ingo Molnar wrote:
> I'm not sure i get your point.
Your example was not complete as described. After an apparently simple
specification, you've since added several qualifiers and assumptions, and
I still doubt that it's complete.
A higher level goal would look like
"Allow a sandbox app access only to approved resources, to contain the
effects of flaws in the app", or similar.
Note that this includes a threat model (remote attacker taking control of
the app) and a general and fully stated strategy for dealing with it.
>From there, you can start to analyze how to implement the goal, at which
point you'd start thinking about configuration, assumptions, filesystem
access, namespaces, indirect access (e.g. via sockets, rpc, ipc, shared
memory, invocation).
Anyway, this is getting off track from the main discussion, but you
asked...
- James
--
James Morris
<jmorris at namei.org>
More information about the Linuxppc-dev
mailing list