Comment by bagxrvxpepzn
18 hours ago
Sure seccomp has its flaws but it's not unworkable. You could just simply gate execution from running on any newer version of Linux of which you don't have a complete syscall list. Or variations on that theme if you need more flexibility.
Well, you'll still need to build unveil/pledge on top of it, because it's not just "the version of Linux". It's all libraries used, directly and indirectly (incl config-based list of libraries, like in PAM), and what they suddenly decide to change even in a security-only patch.
The list of syscalls any code anywhere in the system calls is not a published contract with any guarantees.
> You could just
… is doing some heavy lifting here. "You could just" all but guarantee that your program will break in a couple of years for all users who do the responsible thing?
Sure, if you're building an appliance with a support contract, where you control everything, then that's doable. Servers/desktops/laptops, not so much.