On Mon, 2015-10-05 at 17:27 +0200, Miroslav Lichvar wrote: > Another possibility is to add a new level to the chrony seccomp > support that would use a blacklisting approach, disabling syscalls or > their arguments that historically are most dangerous and we can be > sure won't be ever needed. I hope that's not an empty set. Sandstorm and systemd-nspawn have lists like that, if you want to investigate them... of course, the security benefits are much less, but it's better than no seccomp and you don't have to worry much about compatibility issues. No reason for chrony to be using kexec, for example. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
