[OpenWrt-Devel] enabling seccomp by default in kernel
david at lang.hm
Sat Feb 14 18:31:58 EST 2015
On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote:
> I've added libseccomp into packages. That library allows
> programs to easily restrict the system calls they are allowed to use.
> In turn that uses the kernel's seccomp filter. That's one of the most
> reliable ways to restrict/sandbox processes into specific tasks which
> cannot be overriden even in the event of code injection.
> I've also enabled the ocserv package to use seccomp if configured to,
> but in order for that protection to become meaningful for other
> programs to use as well, it would also need the default kernel option to
> enable seccomp filter.
It needs the kernel support to use the seccomp filter, but why is this so
critical that it must be enabled by default?
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel