|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2015-07-21 20:54:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] Domesticating applications, OpenBSD style
One of the many approaches to improving system security consists of
reducing the attack surface of a given program by restricting the range of
system calls available to it. If an application has no need for access to
the network, say, then removing its ability to use the socket() system
call should cause no loss in functionality while reducing the scope of the
mischief that can be made should that application be compromised. In the
Linux world, this kind of sandboxing can be done using a security module or
the seccomp() system call. OpenBSD has lacked this capability so
far, but it may soon gain it via a somewhat different approach than has
been seen in Linux.
One of the many approaches to improving system security consists of
reducing the attack surface of a given program by restricting the range of
system calls available to it. If an application has no need for access to
the network, say, then removing its ability to use the socket() system
call should cause no loss in functionality while reducing the scope of the
mischief that can be made should that application be compromised. In the
Linux world, this kind of sandboxing can be done using a security module or
the seccomp() system call. OpenBSD has lacked this capability so
far, but it may soon gain it via a somewhat different approach than has
been seen in Linux.
