Page MenuHomePhabricator
Create Task
Maniphest T128

research seccomp for better python script security
Closed, ResolvedPublic
Actions

Description

Find out if seccomp (and/or seccomp.py) would be useful to increase security.

A good good candidate for testing and confinement, because relatively simple to play with, would be url_to_unixtime (T102). Later also control-port-filter-python.

See also:

Related:

  • research PyPy for better python script security: T129 [if we start using pypy, we might not need seccomp.py T128]

Details

Impact
Needs Triage

Related Objects

Event Timeline

Patrick created this task.Feb 4 2015, 10:13 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: python, security.
Patrick added subscribers: Patrick, HulaHoop.
Herald added a project: Whonix. · View Herald TranscriptFeb 4 2015, 10:13 PM
Patrick renamed this task from research seccomp for python scripts to research seccomp for better python script security.Feb 4 2015, 10:15 PM
Patrick added a project: sdwdate.
Patrick mentioned this in T129: research PyPy for better python script security.Feb 4 2015, 10:20 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Feb 5 2015, 12:32 PM
Patrick mentioned this in T102: url_to_unixtime - extract time stamps from http headers.Feb 5 2015, 1:52 PM
Patrick added a comment.Apr 25 2015, 7:26 PM

[Whonix-devel] hardening python scripts with seccomp.py:
https://www.whonix.org/pipermail/whonix-devel/2015-April/000347.html

Herald added a subscriber: WhonixQubes. · View Herald TranscriptApr 25 2015, 7:26 PM
Patrick set Impact to Needs Triage.Apr 25 2015, 7:27 PM
Patrick added a subscriber: nrgaway.
HulaHoop added a comment.Jun 18 2015, 1:19 AM

seccomp.py would have needed a lot of effort to extend to be able to meet cpfp's syscall requirements while making sure its still secure. prctl's interface is far from pythonic to deal with. Not a solution that scales.

systemd.exec integrates and exposes Linux's security features in an easy to use manner. It was chosen instead.

https://www.whonix.org/forum/index.php/topic,1313

HulaHoop closed this task as Resolved.Jun 18 2015, 1:20 AM
Patrick added a comment.EditedFeb 13 2017, 7:39 PM
In T128#5598, @HulaHoop wrote:

https://www.whonix.org/forum/index.php/topic,1313

new link:
https://forums.whonix.org/t/cpfpd-data-options-control-port-filter-python-hardening

Patrick mentioned this in T631: re-enable tor-controlport-filter.service systemd hardening.Feb 13 2017, 7:42 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer