[OpenWrt-Devel] enabling seccomp by default in kernel

David Lang david at lang.hm
Sat Feb 14 18:31:58 EST 2015

On Sat, 14 Feb 2015, Nikos Mavrogiannopoulos wrote:

> Hello,
> I've added libseccomp into packages. That library allows
> programs to easily restrict the system calls they are allowed to use.
> In turn that uses the kernel's seccomp filter. That's one of the most
> reliable ways to restrict/sandbox processes into specific tasks which
> cannot be overriden even in the event of code injection.
> I've also enabled the ocserv package to use seccomp if configured to,
> but in order for that protection to become meaningful for other
> programs to use as well, it would also need the default kernel option to
> enable seccomp filter.

It needs the kernel support to use the seccomp filter, but why is this so 
critical that it must be enabled by default?

David Lang
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list