BIND 9.10.1 beta with seccomp functionality
Tomasz Torcz
tomek at pipebreaker.pl
Tue Aug 19 15:20:28 UTC 2014
On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote:
> Once upon a time, Tomas Hozza <thozza at redhat.com> said:
> > That's where seccomp kicks in, it acts as a 2nd wall of defence. In case
> > of a security hole being present in the server process, it goes further
> > than a chroot, it prevents the attacker from making socket connections
> > orexecuting his code, as his "playing field" is significantly reduced.
> > There's very little he can do.”
>
> How is that different from an SELinux policy? How is the additional
> resitrction handled (if it isn't SELinux, what mechanism is used to do
> the restriction)?
The mechanism is called ”seccomp” – http://en.wikipedia.org/wiki/Seccomp
--
Tomasz Torcz "Funeral in the morning, IDE hacking
xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox
More information about the devel
mailing list