similar to: [LLVMdev] Sandboxing code

Hi. This is mostly hypothetical, just because I want to see how knowledgeable people would go about achieving it: I want to sandbox Mozilla Firefox. For the sake of example, I'm running it under my own user account. The idea is that it should be allowed to connect to the X server, it should be allowed to write to ~/.mozilla and /tmp. I expect some configurations would want access to audio

Recently I''ve found out some mentions to the "--sandbox" parameter to the "rails console" command. And I found the idea interesting, but since I''m using Sequel instead of ActiveRecord I guessed this wouldn''t work for me. But after talking about this subject in the Sequel mailing list, Jeremy Evans has brought to my attention that there are some

I was wondering if the following attack would be feasible once I'm able to break into rlimit sandbox. Because sandboxed process that handles unauthenticated session is running as the 'sshd' user I was wondering if this could be used to jump between processes using ptrace(2). For example if I find a bug in the code executed before authentication I could use ptrace(2) to attach to

On 5/24/12 5:41 AM, Duncan Sands wrote: > Hi Kostya, I'm also curious to know where Nuno is going with this, and the > details of his design. I'm worried he might be reinventing the wheel. I'm > also worried that he may be inventing a square wheel :) I believe Nuno's goal is to prevent run-time exploitation of software. Nuno, please correct me if I'm wrong. And

On Thu, May 24, 2012 at 9:23 PM, John Criswell <criswell at illinois.edu>wrote: > On 5/24/12 5:41 AM, Duncan Sands wrote: > > Hi Kostya, I'm also curious to know where Nuno is going with this, and > the > > details of his design. I'm worried he might be reinventing the wheel. > I'm > > also worried that he may be inventing a square wheel :) > >

https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Bug ID: 2142 Summary: openssh sandboxing using libseccomp Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write access to bpf. - Access to RAW

Dear LLVM community I need some help please. I want to use LLVM's clang and lld within a MacOSX sandboxed app. This is because sandboxing does not allow calls to /usr/bin/clang. The clang binary works fine to compile a file, but ld64.lld comes up with the error "cannot find framework". However similar arguments using /usr/bin/ld instead of ld64.lld works fine. Here are the

Hi, The systrace and rlimit sandboxes have been committed and will be in snapshots dated 20110623 and later. This diff adds support for pre-auth privsep sandboxing using the OS X sandbox_init(3) service. It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to

Hi, I was trying to determine how Wine captures syscalls, and I found this thread: http://www.winehq.org/pipermail/wine-users/2002-October/009077.html The answer was that Wine *doesn't* deal with syscalls, and relies on the application never directly making a syscall, but instead calling into the standard system libraries (Win32). Is this still true today? I'm surprised that Wine can

I've used libvorbis many times in linux and windows <= 7 applications without any major problems, and wanted to know if that translates the same to the sandboxed windows 8 store app environment. I'm playing around with it right now, and was able to get the library to compile fine (static), and was able to get it to compile within my project. So far, no problems, but I was almost

Hello, [The first paragraph is safe to skip if you already know what PNaCl is.] The Portable Native Client (PNaCl) project is a toolchain for producing portable bitcode from C and C++ code and running in securely and efficiently on the web via Native Client. For more details see this presentation from the last Google I/O: https://developers.google.com/events/io/sessions/325679543and

Hi, OpenSSH 5.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The

Here''s the fix for Facebook apps that specify a controller in their callback URLs. First, set this variable in your environment scripts: ENV[''FACEBOOKER_CALLBACK_PATH''] = ''/controller'' # where controller is the name of your Facebook controller And then patch vendor/plugins/facebooker/lib/facebooker/rails/facebook_url_rewriting.rb as shown in the

Hi, OpenSSH 6.0 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The

Thank you, The apt was set to look in the wheezy instead of the jessie one. > On 22 Nov 2015, at 13:30, Richard W.M. Jones <rjones@redhat.com> wrote: > > On Sat, Nov 21, 2015 at 05:12:19AM +0200, Keresztes Péter-Zoltán wrote: >> Hello, >> >> I am trying to install libguestfs on a proxmox (debian jessie with some custom packages) and when I run make at a certain

We are enforcing #!/bin/bash at the beginning of the scripts and bash is installed in every guest. Regards, Peter 2017. márc. 14. dátummal, 16:14 időpontban Richard W.M. Jones <rjones@redhat.com> írta: >> On Tue, Mar 14, 2017 at 03:45:34PM +0200, Keresztes Péter-Zoltán wrote: >> I am running libguestfs version 1.34.2 > > As far as I know, this version should contain

Unfortunately I cannot use the latest version of libguestfs therefore I am stuck with the 1.20 since the newest versions need augeas 1.0.0 where debian wheezy has only 0.7 in it’s repository. But I will try to compile the ocaml 4.01 and see what is the result. Keresztes Péter-Zoltán zozo@z0z0.tk I haven’t lost my mind, I know exactly where I left it. On 01 Jul 2014, at 18:19, Richard W.M. Jones

Hello, I have an issue with virt-resize on the newest version of proxmox which is running on debian wheezy. when I run the virt-resize on a windows 2008 qemu image I got an error. Here is the last part of the debug message: Copying /dev/sda1 ... libguestfs: trace: copy_device_to_device "/dev/sda1" "/dev/sdb1" "size:32210026496" 100%

James, many thanks. Is there any linker available for Macs that has a freely available binary version? I thought maybe that GNU’s linker might fit the bill? I cannot use Apple’s linker from /usr/bin/ as it is not allowed to make external calls from a sandboxed app. Hence my interest in the LLVM lld. > On 7 May 2020, at 19:21, James Y Knight <jyknight at google.com> wrote: > > On