BIND 9.10.1 beta with seccomp functionality
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 19 20:59:10 UTC 2014
On 08/19/2014 11:20 AM, Tomasz Torcz wrote:
> On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote:
>> Once upon a time, Tomas Hozza <thozza at redhat.com> said:
>>> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case
>>> of a security hole being present in the server process, it goes further
>>> than a chroot, it prevents the attacker from making socket connections
>>> orexecuting his code, as his "playing field" is significantly reduced.
>>> There's very little he can do.”
>> How is that different from an SELinux policy? How is the additional
>> resitrction handled (if it isn't SELinux, what mechanism is used to do
>> the restriction)?
> The mechanism is called ”seccomp” – http://en.wikipedia.org/wiki/Seccomp
>
Seccomp can add additional security features to SELinux by eliminating
certain syscalls.
I think using both SELinux and seccomp is a good idea. Security in Depth.
More information about the devel
mailing list