[Bug 2142] openssh sandboxing using libseccomp

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 14 13:49:54 EST 2013


https://bugzilla.mindrot.org/show_bug.cgi?id=2142

--- Comment #4 from Loganaden Velvindron <loganaden at gmail.com> ---
(In reply to Damien Miller from comment #3)
> Sure, but I don't see the point - what's the advantage to using
> libseccomp? It looks like it might have some advantages if we were
> doing argument inspection, were scared of writing BPF or running a
> complex policy but we aren't.

Agreed.

> The existing seccomp sandbox will work on any system that has
> libseccomp and will do the same thing with fewer dependencies and
> less code. Adding another sandbox that does exactly the same thing
> just means we need to maintain two sets of code instead of one.

I see your point ("Reduced attack surface") :-)

In that case, it's probably better that i don't spend more time further
on this.

Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list