Currently the seccomp sandbox works as a library. After starting up, a process
can enable the sandbox. This means the sandbox is limited to trusted programs
that wish to run parts of themselves untrusted.
It would be good if the seccomp sandbox could be applied to existing programs.
To run an existing executable, we would have to enable sandboxing before the
executable's code is run. Furthermore, we don't want to have to modify glibc's
dynamic linker (ld.so), or trust it. So we would need to enable sandboxing
before the dynamic linker gets control too.
We would need to support whatever syscalls ld.so does on startup. One case of
this is ld.so's TLS initialisation. On i386, this uses set_thread_area(). On
x86-64, it uses arch_prctl()+ARCH_SET_FS.
There is a design sketch for this at http://plash.beasts.org/wiki/SeccompSandbox
Original issue reported on code.google.com by mseaborn@chromium.org on 11 Nov 2010 at 4:05
Original issue reported on code.google.com by
mseaborn@chromium.orgon 11 Nov 2010 at 4:05