On Sat, Jul 06, 2024 at 01:22:06AM +0300, Jarkko Sakkinen wrote: > On Sat Jul 6, 2024 at 12:44 AM EEST, Kees Cook wrote: > > > As explained in the UAPI comments, all parent processes need to be > > > trusted. This meeans that their code is trusted, their seccomp filters > > > are trusted, and that they are patched, if needed, to check file > > > executability. > > > > But we have launchers that apply arbitrary seccomp policy, e.g. minijail > > on Chrome OS, or even systemd on regular distros. In theory, this should > > be handled via other ACLs. > > Or a regular web browser? AFAIK seccomp filtering was the tool to make > secure browser tabs in the first place. Yes, and that't OK. Web browsers embedded their own seccomp filters and they are then as trusted as the browser code.
