Je me souviens
Everything here is my opinion. I do not speak for your employer.
July 2015
August 2015

2015-07-19 »

I thought this was interesting:

It doesn't seem to really do anything seccomp() ( can't do.  But it has the advantage that it's comprehensible by normal mortals, and you can just throw a couple of lines into your program to make it "less exploitable."

What I'm not sure about is whether "less exploitable" is realistically better than "not exploitable on this scale."  It reminds me of the note in djb's doc about qmail security history ( where he said that separating programs into multiple user accounts had precisely zero impact on qmail security in the end.

In the real world, people could use this tame() system call to make things better in small tools, but the small tools won't be running in a sandbox as tight as, say, Chrome's sandbox, and programs still manage escape from Chrome's sandbox frighteningly often.  On the other hand, non-sandboxed programs do much, much, much worse.

Not sure how to feel about it.

I'm CEO at Tailscale, where we make network problems disappear.

Why would you follow me on twitter? Use RSS.

apenwarr on