Page MenuHomePhabricator

systemd SystemCallFilter= containment option seccomp hardening
Open, NormalPublic

Description

This will likely easily be possible once we're based on Debian version 9 codename Stretch.

Source:


Once available, its a matter of adding whitelisted calls using SystemCallFilter= in a service unit file.

strace logs may help further debugging:

https://forums.whonix.org/t/cpfpd-data-options-control-port-filter-python-hardening/1146


Worth checking out... Quote: Tails report for January, 2016

Change to systemd as init system and use it to:

  • Sandbox many services using Linux namespaces and make them harder to exploit.

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jun 23 2015, 3:06 PM
HulaHoop updated the task description. (Show Details)
HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop set Impact to Normal.
HulaHoop added subscribers: HulaHoop, troubadour, Patrick.
HulaHoop triaged this task as Normal priority.Jun 23 2015, 3:07 PM
Patrick renamed this task from systemd SystemCallFilter= option to systemd SystemCallFilter= option hardening.Jun 24 2015, 12:25 AM
Patrick renamed this task from systemd SystemCallFilter= option hardening to systemd SystemCallFilter= containment option seccomp hardening.Feb 10 2016, 6:10 PM
Patrick updated the task description. (Show Details)Jun 5 2016, 7:19 PM
Patrick edited projects, added Whonix 15; removed Whonix 14.Jan 18 2017, 10:32 AM
Patrick updated the task description. (Show Details)Aug 15 2018, 1:05 PM