Page MenuHomePhabricator
Create Task
Maniphest T362

systemd SystemCallFilter= containment option seccomp hardening
Closed, ResolvedPublic
Actions

Description

This will likely easily be possible once we're based on Debian version 9 codename Stretch.

Source:

Once available, its a matter of adding whitelisted calls using SystemCallFilter= in a service unit file.

strace logs may help further debugging:

https://forums.whonix.org/t/cpfpd-data-options-control-port-filter-python-hardening/1146

Worth checking out... Quote: Tails report for January, 2016

Change to systemd as init system and use it to:

  • Sandbox many services using Linux namespaces and make them harder to exploit.

Details

Impact
Normal

Related Objects

Event Timeline

HulaHoop created this task.Jun 23 2015, 1:06 PM
HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop updated the task description. (Show Details)
HulaHoop added projects: Whonix, systemd, Debian version 9 codename Stretch, security.
HulaHoop set Impact to Normal.
HulaHoop added subscribers: HulaHoop, troubadour, Patrick.
Herald added a subscriber: WhonixQubes. · View Herald TranscriptJun 23 2015, 1:06 PM
HulaHoop triaged this task as Normal priority.Jun 23 2015, 1:07 PM
Patrick renamed this task from systemd SystemCallFilter= option to systemd SystemCallFilter= option hardening.Jun 23 2015, 10:25 PM
Patrick added projects: onion-grater (Control Port Filter Proxy), sdwdate, msgcollector, whonixcheck, enhancement.
Patrick renamed this task from systemd SystemCallFilter= option hardening to systemd SystemCallFilter= containment option seccomp hardening.Feb 10 2016, 5:10 PM
Patrick updated the task description. (Show Details)Jun 5 2016, 5:19 PM
Patrick added a project: Whonix 14.Jan 18 2017, 5:58 AM
Patrick edited projects, added Whonix 15; removed Whonix 14.Jan 18 2017, 9:32 AM
Patrick mentioned this in T631: re-enable tor-controlport-filter.service systemd hardening.Feb 13 2017, 7:43 PM
Patrick updated the task description. (Show Details)Aug 15 2018, 11:05 AM
Patrick removed a project: Whonix 15.Dec 7 2018, 10:57 AM
Patrick closed this task as Resolved.Nov 6 2019, 2:34 AM
Patrick claimed this task.

This was done. If not, please create specific tickets where it isn't done.

Patrick added a subscriber: madaidan.Nov 6 2019, 2:34 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer