On Mon, 4 May 2015, Todd C. Miller wrote:
> On Sun, 03 May 2015 20:44:25 -, Loganaden Velvindron wrote:
>
> > OpenBSD already has systrace.
>
> Last I checked, systrace doesn't work well with multi-threaded
> programs and was trivial to bypass. The basic design where you
> have a userland m
On Mon, 4 May 2015, Theo de Raadt wrote:
> >Personally, I think seccomp-bpf could be a superior alternative to
> >systrace and I'd love to see an implementation. Other developers (inc.
> >Theo) are skeptical though, but this is probably a case where the
> >argument won't be settled without a concr
On Mon May 04, Damien Miller wrote:
> Personally, I think seccomp-bpf could be a superior alternative to
> systrace and I'd love to see an implementation. Other developers (inc.
> Theo) are skeptical though, but this is probably a case where the
> argument won't be settled without a concrete implem
On Sun, 03 May 2015 20:44:25 -, Loganaden Velvindron wrote:
> OpenBSD already has systrace.
Last I checked, systrace doesn't work well with multi-threaded
programs and was trivial to bypass. The basic design where you
have a userland monitor process is flawed. Something where a policy
is pu
On Mon, 04 May 2015 02:38:58 -0600, Theo de Raadt wrote:
> Those policies will be wide open, or too strict. If we adopt this
> into our world, the next step after that is going to be wide use of
> #ifdef within bpf rulesets.
I don't see how that follows. Security policies are going to be
highly
>> I am wondering if the seccomp system call [1] would be welcomed
>> in the OpenBSD tree. I remember it was among the subjects of last
>> year's Google Summer of Code. If there is still interest in having
>> it implemented, I am willing to work on it: I have a diff th
On Sun, 3 May 2015, Nicolas Bedos wrote:
> I am wondering if the seccomp system call [1] would be welcomed
> in the OpenBSD tree. I remember it was among the subjects of last
> year's Google Summer of Code. If there is still interest in having
> it implemented, I am willing to w
On Sun, May 3, 2015 at 8:18 PM, Nicolas Bedos wrote:
> I am wondering if the seccomp system call [1] would be welcomed in the
> OpenBSD tree. I remember it was among the subjects of last year's Google
> Summer of Code. If there is still interest in having it implemented, I
> am w
I am wondering if the seccomp system call [1] would be welcomed in the
OpenBSD tree. I remember it was among the subjects of last year's Google
Summer of Code. If there is still interest in having it implemented, I
am willing to work on it: I have a diff that creates the system call and
a