On 03/17/2015 05:37 PM, Benjamin Barenblat wrote:
Should we be thinking about seccomp for the binaries 'urweb' makes?
Seccomp is a Linux capabilities system that lets an application define
and institute a policy for allowed system calls. This is normally used
to allow applications to JIT and execute untrusted code (most notably in
Google Chrome), but it could also be a powerful tool to help mitigate
exploits against Ur/Web CGI and FastCGI binaries.
It could be worth adding, as either an opt-in feature or one that turns
on by default when the build process sees Linux.
Most real Ur/Web deployments so far use the C FFI to make system calls
that "pure" Ur/Web apps never could, so it would be important to make
the policy configurable, which probably requires some extensions to,
e.g., the .urp project-file format. It could be worth doing, but it's
not obvious that it's worth the effort.
How would you see the Ur/Web programmer experience changing to
facilitate Seccomp usage?
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
