[nycbug-talk] Systrace Sandboxed OpenSSH , cool , wait what are they using

John Baldwin jhb at freebsd.org
Tue Jul 26 09:22:33 EDT 2011


On Monday, July 25, 2011 8:45:41 pm Mark Saad wrote:
> Talk
> So I was just reading about some new features of OpenSSH over at
> undeadly , http://undeadly.org/cgi?action=article&sid=20110721123003
> But I cant help thinking about this post
> http://undeadly.org/cgi?action=article&sid=20070809201304 where
> systrace is bashed up and down.
> Am I missing something here ?

If they are just providing a whitelist of permitted system calls, then it 
should not be subject to the known issues with systrace(4) as those are 
related to parsing system call arguments.

It also looks from some mailing lists that OpenBSD is looking at porting
Capsicum to OpenBSD which should provide an even richer sandbox environment.

-- 
John Baldwin



More information about the talk mailing list