Seccomp Mode 2 Filters
Just a short post to bring attention to seccomp mode 2 filters. There is not enough hype about this, probably because it’s not in the vanilla kernel yet (that I know of.) Seccomp filters let programs...
View ArticleWhy I Sandbox Chrome With AppArmor
Google Chrome is a browser designed with least privilege in mind. The Chrome multiprocess architecture sandboxes each tab, the renderer, the GPU, and extensions and has them use IPC to talk to the...
View ArticleSeccomp Mode 2 Filters In Kernel 3.5
Just a note, the 3.5 Linux kernel now includes support for Seccomp Mode 2 Filters. Seccomp is awesome. It reduces visible kernel attack surface and severely limits the ability for attackers to exploit...
View ArticleClik here to view.
Chrome Seccomp-BPF Sandbox
Chrome://sandbox has gotten an update reflecting the newly implemented Mode 2 Seccomp Filters implemented through the Berkley Packet Filter (BPF). To learn more about Syscall and Seccomp Filtering you...
View ArticleExplaining Chrome’s Linux Sandbox
Note: The documentation for Chrome’s Linux sandbox is lacking. This is my attempt to make sense of it and clarify how it works for users who may not want to sift through multiple docs on the subject....
View ArticleSandboxing: Seccomp Filters
This is the first installment on a series of various sandboxing techniques that I’ve used in my own code to restrict an applications capabilities. You can find a shorter overview of these techniques...
View ArticleSandboxing: Conclusion
In total I’ve written five methods for sandboxing code. These are certainly not the only methods but they’re mostly simple to use, and they’re what I’ve personally used. A large part of this sandboxing...
View Article
