[nycbug-talk] Systrace Sandboxed OpenSSH , cool , wait what are they using
jhb at freebsd.org
Tue Jul 26 09:22:33 EDT 2011
On Monday, July 25, 2011 8:45:41 pm Mark Saad wrote:
> So I was just reading about some new features of OpenSSH over at
> undeadly , http://undeadly.org/cgi?action=article&sid=20110721123003
> But I cant help thinking about this post
> http://undeadly.org/cgi?action=article&sid=20070809201304 where
> systrace is bashed up and down.
> Am I missing something here ?
If they are just providing a whitelist of permitted system calls, then it
should not be subject to the known issues with systrace(4) as those are
related to parsing system call arguments.
It also looks from some mailing lists that OpenBSD is looking at porting
Capsicum to OpenBSD which should provide an even richer sandbox environment.
More information about the talk