Re: Tracker as a security risks



On Fri, Dec 09, 2016 at 01:35:39AM +0100, Michael Biebl wrote:
2016-12-06 0:03 GMT+01:00 Michael Catanzaro <mcatanzaro gnome org>:
On Mon, 2016-12-05 at 21:31 +0100, Carlos Garnacho wrote:
Thanks for the tip :), worth a look indeed, although I'm looking into
using seccomp directly.

Strongly consider using libseccomp for this!

Has it been considered to use the systemd sandboxing features? tracker
already ships systemd --user service files, so you'd basically get
that for free.

  Correct me if I'm wrong, but aren't systemd sandboxing features only
available to system instance?  User systemd sessions lack priviledges
to set up separate namespaces etc.

  Also, in additional to libseccomp, there's https://github.com/projectatomic/bubblewrap
for sandboxing. It is suid binary, though.

-- 
Tomasz Torcz            There exists no separation between gods and men:
xmpp: zdzichubg chrome pl   one blends softly casual into the other.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]