Seccomp Filters Coming to Linux

Discussion in 'all things UNIX' started by Hungry Man, Mar 28, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://outflux.net/teach-seccomp/

    Very cool. Using this with AppArmor/SELinux/Chroot will provide an incredibly fine-grained sandbox. Hopefully we start getting profiles for common applications. It looks like applications are compiled with it as well.
     
  2. x942

    x942 Guest

    Right when I started craving more security this happens :thumb: Thanks for the post!
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://scarybeastsecurity.blogspot.com/2012/04/vsftpd-300-and-seccomp-filter.html

    This program is now supporting it as well. The developer (smart guy, he's blogged a bit about security in the past) states that it would effectively prevent multiple kernel exploits (he lists a few examples) that have been used previously.

    The seccomp filters really compliment LSM. Most sandboxes are bypassed either through a kernel exploit or design flaw and filters really drives up the cost of kernel exploitation.

    In my opinion seccomp is the biggest security improvement since MAC policies through LSM.
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    I think Chris Evans is quite senior in Google. ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.