Vincas Dargis <vin...@gmail.com> writes: > Since mentioned, I would like that these daemons would implement seccomp > filtering themselves, meaning like within application itself, using > libeseccomp. Thy can fine-grain what thread what syscalls can make.
Yes, this is potentially even better. But there are cases where we can apply filters that upstream may not be able to assume for various reasons, and a lot of upstreams who won't be willing to take Linux-specific code inside the daemon itself. But this would be fantastic for things like ImageMagick, which are otherwise a notorious source of RCEs. Does libeseccomp now have maintained system call classes similar to systemd? If we could build a tool that could apply namespace and filter rules using system call classes like that, it would make it easy to support similar hardening in sysvinit as well. Last time I looked at the various stand-alone jailing utilities like firejail, they seemed to be missing the nice system call groupings that let you not have to know exactly what system calls result from standard IO operations, but hopefully someone has since tackled this. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
