Page MenuHomePhabricator

research seccomp for better python script security
Closed, ResolvedPublic

Description

Find out if seccomp (and/or seccomp.py) would be useful to increase security.

A good good candidate for testing and confinement, because relatively simple to play with, would be url_to_unixtime (T102). Later also control-port-filter-python.

See also:

Related:

  • research PyPy for better python script security: T129 [if we start using pypy, we might not need seccomp.py T128]

Details

Impact
Needs Triage

Event Timeline

Patrick updated the task description. (Show Details)Feb 4 2015, 11:13 PM
Patrick added projects: python, security.
Patrick added subscribers: Patrick, HulaHoop.
Patrick created this task.
Patrick raised the priority of this task from to Normal.
Patrick renamed this task from research seccomp for python scripts to research seccomp for better python script security.
Patrick updated the task description. (Show Details)Feb 5 2015, 1:32 PM

[Whonix-devel] hardening python scripts with seccomp.py:
https://www.whonix.org/pipermail/whonix-devel/2015-April/000347.html

Patrick set Impact to Needs Triage.Apr 25 2015, 9:27 PM
Patrick added a subscriber: nrgaway.

seccomp.py would have needed a lot of effort to extend to be able to meet cpfp's syscall requirements while making sure its still secure. prctl's interface is far from pythonic to deal with. Not a solution that scales.


systemd.exec integrates and exposes Linux's security features in an easy to use manner. It was chosen instead.

https://www.whonix.org/forum/index.php/topic,1313

HulaHoop closed this task as Resolved.Jun 18 2015, 3:20 AM