Seccomp Filters Coming to Linux

Discussion in 'all things UNIX' started by Hungry Man, Mar 28, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man
    Offline

    Hungry Man Registered Member

    http://outflux.net/teach-seccomp/

    Very cool. Using this with AppArmor/SELinux/Chroot will provide an incredibly fine-grained sandbox. Hopefully we start getting profiles for common applications. It looks like applications are compiled with it as well.
  2. x942
    Offline

    x942 Registered Member

    Right when I started craving more security this happens :thumb: Thanks for the post!
  3. Hungry Man
    Offline

    Hungry Man Registered Member

    http://scarybeastsecurity.blogspot.com/2012/04/vsftpd-300-and-seccomp-filter.html

    This program is now supporting it as well. The developer (smart guy, he's blogged a bit about security in the past) states that it would effectively prevent multiple kernel exploits (he lists a few examples) that have been used previously.

    The seccomp filters really compliment LSM. Most sandboxes are bypassed either through a kernel exploit or design flaw and filters really drives up the cost of kernel exploitation.

    In my opinion seccomp is the biggest security improvement since MAC policies through LSM.
  4. vasa1
    Offline

    vasa1 Registered Member

    I think Chris Evans is quite senior in Google. ;)
Thread Status:
Not open for further replies.