Page MenuHomePhabricator

research seccomp for better python script security
Closed, ResolvedPublic

Description

Find out if seccomp (and/or seccomp.py) would be useful to increase security.

A good good candidate for testing and confinement, because relatively simple to play with, would be url_to_unixtime (T102). Later also control-port-filter-python.

See also:

Related:

  • research PyPy for better python script security: T129 [if we start using pypy, we might not need seccomp.py T128]

Details

Impact
Needs Triage

Event Timeline

Patrick created this task.Feb 4 2015, 11:13 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: python, security.
Patrick added subscribers: Patrick, HulaHoop.
Patrick renamed this task from research seccomp for python scripts to research seccomp for better python script security.Feb 4 2015, 11:15 PM
Patrick added a project: sdwdate.
Patrick updated the task description. (Show Details)Feb 5 2015, 1:32 PM

[Whonix-devel] hardening python scripts with seccomp.py:
https://www.whonix.org/pipermail/whonix-devel/2015-April/000347.html

Patrick set Impact to Needs Triage.Apr 25 2015, 9:27 PM
Patrick added a subscriber: nrgaway.

seccomp.py would have needed a lot of effort to extend to be able to meet cpfp's syscall requirements while making sure its still secure. prctl's interface is far from pythonic to deal with. Not a solution that scales.


systemd.exec integrates and exposes Linux's security features in an easy to use manner. It was chosen instead.

https://www.whonix.org/forum/index.php/topic,1313

HulaHoop closed this task as Resolved.Jun 18 2015, 3:20 AM