Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
You'd have to use systrace in conjunction with chroot in OpenBSD to properly sandbox applications. That way you can restrict what type of syscalls can be used.
Remote root hole in Samba
Posted Apr 11, 2012 17:17 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Posted Apr 14, 2012 20:37 UTC (Sat) by andres (guest, #83358)
systrace is only "vunerable" to TOCTOU/TOATOU if your policy involves checking pointer arguments.
systrace policies such as ssh's block entire syscalls outright; they don't check arguments. As such, those policies are not vulnerable.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds