Page MenuHomePhabricator

systemd SystemCallFilter= containment option seccomp hardening
Closed, ResolvedPublic

Description

This will likely easily be possible once we're based on Debian version 9 codename Stretch.

Source:


Once available, its a matter of adding whitelisted calls using SystemCallFilter= in a service unit file.

strace logs may help further debugging:

https://forums.whonix.org/t/cpfpd-data-options-control-port-filter-python-hardening/1146


Worth checking out... Quote: Tails report for January, 2016

Change to systemd as init system and use it to:

  • Sandbox many services using Linux namespaces and make them harder to exploit.

Details

Impact
Normal

Event Timeline

HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop updated the task description. (Show Details)
HulaHoop set Impact to Normal.
HulaHoop added subscribers: HulaHoop, troubadour, Patrick.
HulaHoop triaged this task as Normal priority.Jun 23 2015, 3:07 PM
Patrick renamed this task from systemd SystemCallFilter= option to systemd SystemCallFilter= option hardening.Jun 24 2015, 12:25 AM
Patrick renamed this task from systemd SystemCallFilter= option hardening to systemd SystemCallFilter= containment option seccomp hardening.Feb 10 2016, 6:10 PM
Patrick claimed this task.

This was done. If not, please create specific tickets where it isn't done.