PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
Posted Oct 3, 2019 6:14 UTC (Thu) by cyphar (subscriber, #110703)In reply to: PostgreSQL considers seccomp() filters by wahern
Parent article: PostgreSQL considers seccomp() filters
In my view, this is actually a good thing -- pathname filtering based on the string value of the path is (in my view) destined to be a bad idea (I explain this further in [1]). I reckon that the right combination of bind-mounts and AppArmor/SELinux would be a far more effective method for doing this without all of the foot-guns.
> There are several little pragmatic tweaks like this that make pledge functional.
I agree that these sorts of niceties are very useful for making pledge(2) much easier to use for userspace, but I'm not convinced that we need to do all of them in-kernel. There is no reason why we can't also have a libpledge which can help deal with some of the more peculiar userspace bits (that are separate from the core "these syscalls on this kernel form this pledge-group" feature we need to be in-kernel).
Posted Oct 3, 2019 8:51 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
AppArmor has several problems, though. In particular, it can't be effectively used in unprivileged contexts. For example, you can't run a program that you just compiled with a custom policy.
It also was not possible to use AppArmor from inside containers (has this changed?).
Posted Oct 3, 2019 10:48 UTC (Thu)
by jem (subscriber, #24231)
[Link]
PostgreSQL considers seccomp() filters
SELinux is never a solution...
PostgreSQL considers seccomp() filters