Just a short post to bring attention to seccomp mode 2 filters. There is not enough hype about this, probably because it’s not in the vanilla kernel yet (that I know of.)
Seccomp filters let programs whitelist calls that they can make to the kernel. Whitelisting syscalls reduces kernel attack surface, which will prevent privilege escalation exploits. Seccomp is already built into Chrome/ Chromium to reinforce the Chrome Linux sandbox, OpenSSL 6.0 supports it as well as vsftpd. I’d really like to see it in cupsd and various other services (actually I’d like to see a lot compiled with it.)
The central idea of Seccomp filters is to limit interaction with the Linux Kernel. If you can’t access code you’re gonna have a hell of a hard time exploiting it – limiting interaction limits attack surface. Support for verifying syscall parameters is still in the works but the sandbox is very powerful. Any system using the Linux 3.5 kernel has support for Seccomp.