[OpenWrt-Devel] enabling seccomp by default in kernel
John Crispin
blogic at openwrt.org
Sat Feb 14 18:39:08 EST 2015
On 15/02/2015 00:31, David Lang wrote:
> On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote:
>
>> Hello, I've added libseccomp into packages. That library allows
>> programs to easily restrict the system calls they are allowed to
>> use. In turn that uses the kernel's seccomp filter. That's one of
>> the most reliable ways to restrict/sandbox processes into
>> specific tasks which cannot be overriden even in the event of
>> code injection.
>>
>> I've also enabled the ocserv package to use seccomp if configured
>> to, but in order for that protection to become meaningful for
>> other programs to use as well, it would also need the default
>> kernel option to enable seccomp filter.
>
> It needs the kernel support to use the seccomp filter, but why is
> this so critical that it must be enabled by default?
>
> David Lang
the snapshots will now have libseccomp but the kernels built wont have
the feature enabled. this means the lib is useless without building
your own kernel. i guess nikos is trying to solve this problem.
John
> _______________________________________________ openwrt-devel
> mailing list openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list