Testing chrony seccomp support

Michael Catanzaro mcatanzaro at gnome.org
Mon Oct 5 15:31:38 UTC 2015


On Mon, 2015-10-05 at 17:27 +0200, Miroslav Lichvar wrote:
> Another possibility is to add a new level to the chrony seccomp
> support that would use a blacklisting approach, disabling syscalls or
> their arguments that historically are most dangerous and we can be
> sure won't be ever needed. I hope that's not an empty set.

Sandstorm and systemd-nspawn have lists like that, if you want to
investigate them... of course, the security benefits are much less, but
it's better than no seccomp and you don't have to worry much about
compatibility issues. No reason for chrony to be using kexec, for
example.


More information about the devel mailing list