Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> But that would require modifying the application

Technically it can be done using LD_PRELOAD on fopen() and such.



Can it?

If my application invokes syscalls directly, that wouldn't hit anything interposed using LD_PRELOAD.


Firejail[1] is IMO a good alternative. It handles sandboxing using Linux namespaces and seccomp-bpf.

[1] https://firejail.wordpress.com/


It will certainly work for the vast majority that are using #include <stdio.h> and more importantly for the various GUI apps that are using GTK/Qt dialogs.


This is for security, though - you can't just assume it's good enough because it will work for most benign applications - you need to be sure it will work for all applications - benign or malicious!

There are other solutions such as seccomp (as siblings of your post have pointed out) that solve this securely, but LD_PRELOAD won't.


The safest way to do it would be to implement it with seccomp so you unconditionally block those syscalls.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: