On 11/21/2011 10:00 AM, Juan Quintela wrote:
Hi
Please send in any agenda items you are interested in covering.
I'm technical on holiday this week so I won't be attending.
But as an FYI, I ran across seccomp-nurse[1] this weekend. It more or less
let's you write a python program to implement a userspace syscall whitelist.
I haven't looked at the code close enough yet, but I think the technique it uses
is to create a companion thread along side the sandbox thread. This thread only
runs code in an area mapped read-only and presumably only uses thread local storage.
The companion thread isn't running in the sandbox, but has the same resources as
the sandbox thread so it can essentially invoke syscalls on behalf of the
sandbox thread.
It's seriously non-portable. In fact, it only works on 32-bit x86 Linux right
now. But it's worth looking into.
[1] http://chdir.org/~nico/seccomp-nurse/
Regards,
Anthony Liguori
Later, Juan.
