Hello, I've added libseccomp into packages. That library allows programs to easily restrict the system calls they are allowed to use. In turn that uses the kernel's seccomp filter. That's one of the most reliable ways to restrict/sandbox processes into specific tasks which cannot be overriden even in the event of code injection.
I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. regards, Nikos _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
