On Tue, Feb 25, 2020, 7:37 AM Richard Laager via devel <devel@ntpsec.org> wrote:
> On 2/24/20 11:02 PM, Hal Murray via devel wrote: > > I'm looking at strace output. There are a few calls used only once or > twice. > > > > It seems obvious that we should drop root as early as possible. But > it's not > > obvious that we should enable seccomp early. > > > > If we turn on seccomp early, then we have to allow all the syscalls used > > during initialization so a bad guy could use them too. > > > > So what are we worried about? What is seccomp trying to protect > against? > > Bugs in our initialization code before we start exchanging packets, or > bugs in > > the mainline code after initialization when the bad guys get to send us > > packets? > > I'd say the latter. > Is there anything preventing the possibility of an early looser seccomp setup and then tightening it later possibly with a knob to generate terse or verbose warnings instead of dying. >
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel