[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sandboxing at runtime

From: Gary E. Miller
Subject: Re: Sandboxing at runtime
Date: Tue, 21 Jul 2020 23:38:46 -0700

Yo Sanjeev!

On Wed, 22 Jul 2020 12:20:44 +0800
Sanjeev Gupta <> wrote:

> (I am cc:ing both lists, as I think the groups overlap, and both have
> the seame concerns)
> A choice of either a dynamic library (with LD_PRELOAD) or running it
> under a "sandboxify" application.

Just the start of the pain.

> If nothing else, this may simplify finding out the syscalls that are
> in use.

Sort of.  As experience with NTPsec has shown, the syscals in use
vary wildly by library versions.  They change with no notice.  Plus
finding the rarely used ones is time consuming.

> If there is interest, I could iterate (eg) gpsmon or ntpq,to
> estimate the smallest number of syscalls required.

ntpq is python, so now you have to identify all the possible syscalls
in a large number of python versions, over a large number of system
libraries and operating systems.

> I am not sure how portable this will be, as we support multiple OS
> kernels.

A very large undertaking that will never end.  Be sure you have a lot
of spare time over the next few years for this task.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

Attachment: pgpsOW5IRPo2h.pgp
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]