[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sandboxing at runtime
|
From: |
Gary E. Miller |
|
Subject: |
Re: Sandboxing at runtime |
|
Date: |
Tue, 21 Jul 2020 23:38:46 -0700 |
Yo Sanjeev!
On Wed, 22 Jul 2020 12:20:44 +0800
Sanjeev Gupta <ghane0@gmail.com> wrote:
> (I am cc:ing both lists, as I think the groups overlap, and both have
> the seame concerns)
>
> https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/
>
> A choice of either a dynamic library (with LD_PRELOAD) or running it
> under a "sandboxify" application.
Just the start of the pain.
> If nothing else, this may simplify finding out the syscalls that are
> in use.
Sort of. As experience with NTPsec has shown, the syscals in use
vary wildly by library versions. They change with no notice. Plus
finding the rarely used ones is time consuming.
> If there is interest, I could iterate (eg) gpsmon or ntpq,to
> estimate the smallest number of syscalls required.
ntpq is python, so now you have to identify all the possible syscalls
in a large number of python versions, over a large number of system
libraries and operating systems.
> I am not sure how portable this will be, as we support multiple OS
> kernels.
A very large undertaking that will never end. Be sure you have a lot
of spare time over the next few years for this task.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
pgpsOW5IRPo2h.pgp
Description: OpenPGP digital signature