[Ur] Seccomp for Ur/Web-generated binaries
Adam Chlipala
adamc at csail.mit.edu
Wed Mar 18 10:57:56 EDT 2015
On 03/17/2015 05:37 PM, Benjamin Barenblat wrote:
> Should we be thinking about seccomp for the binaries 'urweb' makes?
>
> Seccomp is a Linux capabilities system that lets an application define
> and institute a policy for allowed system calls. This is normally used
> to allow applications to JIT and execute untrusted code (most notably in
> Google Chrome), but it could also be a powerful tool to help mitigate
> exploits against Ur/Web CGI and FastCGI binaries.
It could be worth adding, as either an opt-in feature or one that turns
on by default when the build process sees Linux.
Most real Ur/Web deployments so far use the C FFI to make system calls
that "pure" Ur/Web apps never could, so it would be important to make
the policy configurable, which probably requires some extensions to,
e.g., the .urp project-file format. It could be worth doing, but it's
not obvious that it's worth the effort.
How would you see the Ur/Web programmer experience changing to
facilitate Seccomp usage?
More information about the Ur
mailing list