deeplow
commented
5 months ago While looking into seccomp policies generation (I can't find the specific reference) I came across an interesting approach: execute over a test set and find all the binaries called. Then remove everything else. Not sure how risky that is in this case, but it feels like something we can explore. But maybe that's overkill here.
We've done this in the past, but according to the auditors, we can further slim down the image (and thus removing potential attacker gadgets). They found
ncandwgetbut they mention these are probably not the only ones. Probably many other executables from busybox are in reality not needed.