Aren't systemd's security capabilities in userspace simpler to use?
Aren't systemd's security capabilities in userspace simpler to use?
Posted Jul 22, 2015 21:16 UTC (Wed) by mezcalero (subscriber, #45103)In reply to: Aren't systemd's security capabilities in userspace simpler to use? by alison
Parent article: Domesticating applications, OpenBSD style
That said, I am pretty sure the tame() API is frickin' crazy, and seccomp() actually a ton more useful, especially if you use it in conjunction with some namespacing tricks like they are exposed with systemd's PrivateTmp=, ProtectSystem= or PrivateNetwork=.
I find Theo's comment on seccomp controlling programs with other programs particularly weird, given the the seccomp filters are not turing complete, and hence hardly more than a fancy parameter check, and hardly something I would really call a "program".