-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Should we be thinking about seccomp for the binaries 'urweb' makes?
Seccomp is a Linux capabilities system that lets an application define and institute a policy for allowed system calls. This is normally used to allow applications to JIT and execute untrusted code (most notably in Google Chrome), but it could also be a powerful tool to help mitigate exploits against Ur/Web CGI and FastCGI binaries. Obviously, this would do nothing for OS X users, but OS X servers are sufficiently rare (and Linux-based servers are sufficiently common) that this could still be a net win. What do you think – might modifying 'urweb'’s code generator to add seccomp to the binaries it produces be a good idea? —Benjamin -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVCJ6JXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OThCQjVEMTlDOEE3QjE3OUUwREFCODY5 RTczMDE0OUVCOTFDNTNCAAoJEJ5zAUnrkcU7SQ4H/3Q6OgTkva0KcMwZTJsL52Jq NLUWWgdOBz0QfLjVtXTdKwrR7AJ+2XJ9guVBmgb92G55FTJbeb7KoXemyGc4RibX VrYeRVk/ooxAW+l9LsXbNcsLi9GkgVjRX//4XWx7Mug45mcqv8l+X+l+QJDHnyMe VkV5DGVh6fodTVl87DXChklmCD4LZ3FHVd9bCrQlSN7mH3IU7JsO6+E64bvJVSIB w1/KicQO5DntnyP46dVaulSiqLkCuu58V6eT9h2T6dTslZzXnmgIUUF6EQtDHZBY 9zbTDNKXbhuEkn0dP1TgDPSe3LHvmOmIHKJgFNi7QkCWw8C+0app9vm5Dk6hHcQ= =xJlH -----END PGP SIGNATURE----- _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
