Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:44 PM, Kees Cook wrote: > On Wed, Mar 18, 2015 at 2:42 PM, Andy Lutomirski wrote: >> On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook wrote: >>> On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn wrote: Hi, I'm writing to ask about The seccomp

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:42 PM, Andy Lutomirski wrote: > On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook wrote: >> On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn wrote: >>> Hi, >>> >>> I'm writing to ask about >>> >>> The seccomp check will not be run again after the tracer is >>>

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook wrote: > On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn wrote: >> Hi, >> >> I'm writing to ask about >> >> The seccomp check will not be run again after the tracer is >> notified. (This means that seccomp-based sandboxes MUST NOT >>

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn wrote: > Hi, > > I'm writing to ask about > > The seccomp check will not be run again after the tracer is > notified. (This means that seccomp-based sandboxes MUST NOT > allow use of ptrace, even of other sandboxed

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn wrote: > Hi, > > I'm writing to ask about > > The seccomp check will not be run again after the tracer is > notified. (This means that seccomp-based sandboxes MUST NOT > allow use of ptrace, even of other sandboxed

seccomp vs ptrace

Hi, I'm writing to ask about The seccomp check will not be run again after the tracer is notified. (This means that seccomp-based sandboxes MUST NOT allow use of ptrace, even of other sandboxed processes, without extreme care; ptracers can use this mechanism to

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:44 PM, Kees Cook keesc...@chromium.org wrote: On Wed, Mar 18, 2015 at 2:42 PM, Andy Lutomirski l...@amacapital.net wrote: On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook keesc...@chromium.org wrote: On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn se...@hallyn.com wrote:

seccomp vs ptrace

Hi, I'm writing to ask about The seccomp check will not be run again after the tracer is notified. (This means that seccomp-based sandboxes MUST NOT allow use of ptrace, even of other sandboxed processes, without extreme care; ptracers can use this mechanism to

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn se...@hallyn.com wrote: Hi, I'm writing to ask about The seccomp check will not be run again after the tracer is notified. (This means that seccomp-based sandboxes MUST NOT allow use of ptrace, even of other sandboxed

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn se...@hallyn.com wrote: Hi, I'm writing to ask about The seccomp check will not be run again after the tracer is notified. (This means that seccomp-based sandboxes MUST NOT allow use of ptrace, even of other sandboxed

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook keesc...@chromium.org wrote: On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn se...@hallyn.com wrote: Hi, I'm writing to ask about The seccomp check will not be run again after the tracer is notified. (This means that seccomp-based

Re: seccomp vs ptrace

On Wed, Mar 18, 2015 at 2:42 PM, Andy Lutomirski l...@amacapital.net wrote: On Wed, Mar 18, 2015 at 2:38 PM, Kees Cook keesc...@chromium.org wrote: On Wed, Mar 18, 2015 at 2:30 PM, Serge E. Hallyn se...@hallyn.com wrote: Hi, I'm writing to ask about The seccomp check will not be run