[OpenWrt-Devel] enabling seccomp by default in kernel

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Feb 14 07:49:03 EST 2015

 I've added libseccomp into packages. That library allows
programs to easily restrict the system calls they are allowed to use.
In turn that uses the kernel's seccomp filter. That's one of the most
reliable ways to restrict/sandbox processes into specific tasks which
cannot be overriden even in the event of code injection.

I've also enabled the ocserv package to use seccomp if configured to,
but in order for that protection to become meaningful for other
programs to use as well, it would also need the default kernel option to
enable seccomp filter.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list