Hacker News new | past | comments | ask | show | jobs | submit login
A seccomp overview (lwn.net)
9 points by vezzy-fnord on Sept 14, 2015 | hide | past | favorite | 3 comments



seccomp is a really exciting feature that I haven't seen talked about too often.

It actually played a fairly large role in CTFs this year, being used by LegitBS in the DEFCON Finals. Since we didn't have access to a lot of the syscalls we'd need to achieve persistence, we (and a lot of other teams), had to focus on actually solving the problems, instead of on sidestepping them with cheap tactics.


> There are now a number of tools that are using seccomp filters, including the Chrome/Chromium browser, OpenSSH, vsftpd, and Firefox OS.

Does Chrome seccomp itself at all, or just 3rd party helpers/plugins?

What about other popular services like http (apache/nginx), SQL (postgres/mysql), DNS -- do they plan to add seccomp support?


For postgresql it seems hard to do do so in a generic fashion. There's a great emphasis on being able to extend postgres and that extension code will do stuff we don't allow. Only superusers are allowed to configure/load such extensions for obvious reasons.

There are so called 'trusted' languages which means they execute code in a sandboxed manner. But they're mostly executed in the same process context as the normal backend, so it'll hard to effectively use seccomp afaics.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: