On Tue, Aug 19, 2014 at 10:12:31AM -0500, Chris Adams wrote: > Once upon a time, Tomas Hozza <thozza@xxxxxxxxxx> said: > > That's where seccomp kicks in, it acts as a 2nd wall of defence. In case > > of a security hole being present in the server process, it goes further > > than a chroot, it prevents the attacker from making socket connections > > orexecuting his code, as his "playing field" is significantly reduced. > > There's very little he can do.” > > How is that different from an SELinux policy? How is the additional > resitrction handled (if it isn't SELinux, what mechanism is used to do > the restriction)? The mechanism is called ”seccomp” – http://en.wikipedia.org/wiki/Seccomp -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg@xxxxxxxxx in the afternoon and evening." - Alan Cox -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct