denshooter/genode
1
0
Fork 0
mirror of https://github.com/mmueller41/genode.git synced 2026-01-21 12:32:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

base-linux: enabled seccomp

Browse Source 
base-linux uses seccomp to reduce the available system calls
to the minimum set needed to run base-linux. There are still
some syscalls that allow accessing global state which should
be further reduced.

The combination of seccomp and socket descriptor caps should
provide an intermediate level of security for base-linux
thereby enabling base-linux as a migration path from using
the Linux kernel to the use of microkernel-based Genode.

Fixes #3581
This commit is contained in:
Stefan Thöni
2019-09-17 14:40:52 +02:00
committed by Christian Helmuth
parent 128ba65109
commit 78497c03ca
17 changed files with 404 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
tool/seccomp/Makefile Normal file
View File

@@ -0,0 +1,13 @@
.DEFAULT_GOAL := seccomp_bpf_filters
seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin seccomp_bpf_policy_arm.bin
seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
./$< > $@
seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc
@g++ $< -o $@ -lseccomp
clean:
@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true