On Tue, Sep 5, 2017 at 2:32 PM, Denis Solonkov <solonko...@google.com> wrote:
> Hi Simon,
> As part of my Google summer internship project I have implemented a sandbox
> for dnsmasq, based on Linux seccomp-bpf and mount namespace, with tests and
> documentation.
> Such sandbox provides defense in depth to dnsmasq, by restricting what files
> it can access and which syscalls it can make, in case remote code execution
> vulnerabilities are discovered in dnsmasq.
> Would you be interested in reviewing my patches and maybe integrate them in
> dnsmasq?
> Please find attached my patch against master head, but let me know if there
> is another way for us to review and discuss the change.

The project is interesting. May I suggest looking into privilege
separation such as what OpenBSD has been doing before applying the
sandbox  ?


Also, maybe look at unbound, which has a privilege separation design as well.

Have a look at OpenBSD's imsg framework which is light and easy to port:


Dnsmasq-discuss mailing list

Reply via email to