Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Switch seccomp filter to whitelist (#37)
Previously the seccomp filter would use a whitelist, denying access only to system calls known to perform network operations. This has the big disadvantage that every new system call would be allowed by default. To prevent accidentally opening up the sandbox due to not tracking the Kernel appropriately, the filter has been switched to a whitelist instead. This means only system calls which are explicitly present in the list are allowed. When the network sandbox is disabled, all system calls are allowed regardless of our whitelist. This means that even new unknown system calls will be allowed without having to update Birdcage to track them. Closes #33.
- Loading branch information