While I am happy that there is such functionality in the Linux kernel, this feels like a slightly over-engineered and complex solution to the problem of restricting access to certain system calls.
I agree – seccomp really seems to suffer from second system effect. I think the biggest problem is that it makes the logical next step in sandboxing system calls unnecessarily hard. I glossed over it in the article, but inspecting any non-integer system call arguments requires a supervising process to inspect the sandboxed process with ptrace.
Pledge vs this…. I think I’d have to say pledge. It might be less featured, but it’s a helluva lot easier to get right, which counts for sooo much more.
While I am happy that there is such functionality in the Linux kernel, this feels like a slightly over-engineered and complex solution to the problem of restricting access to certain system calls.
I agree – seccomp really seems to suffer from second system effect. I think the biggest problem is that it makes the logical next step in sandboxing system calls unnecessarily hard. I glossed over it in the article, but inspecting any non-integer system call arguments requires a supervising process to inspect the sandboxed process with ptrace.
Is there a lot of stuff using this?
There are a few things. The most popular user is probably Chrome.
Pledge vs this…. I think I’d have to say pledge. It might be less featured, but it’s a helluva lot easier to get right, which counts for sooo much more.
Great intro though!