On Tue, Jan 19, 2016, at 11:08 AM, Andrew Lutomirski wrote:
On Jan 19, 2016 7:41 AM, "Colin Walters" walters@verbum.org wrote:
On Tue, Jan 19, 2016, at 04:16 AM, Nikos Mavrogiannopoulos wrote:
The issue is that blacklists are terrible from a security standpoint.
That means that every new obscure system call added to the kernel will
be available by default in your program.
One of these days I need to tidy up Sandstorm's seccomp policy and factor it into its own library. It's made a good showing for itself over the last year or so, and it's highly compatible.
Yes, https://git.gnome.org/browse/linux-user-chroot/commit/?id=8cee4ab7345f126d1d...