feat(security): integrate libseccomp #81
Labels
C-security
Issues or tasks related to security vulnerabilities, improvements, or audits.
Comments
|
Hey, I do not have a lot of context on libseccomp. Is this something you enable on the VMs or in the Rust program? |
ferranbt
added
the
C-security
|
Hey, it's something we use along with rust app to limit syscall to kernel from the app itself. |
|
How is it configured/enabled in this specific repo? |
|
You can check an example imlpementation here in cloudflare's foundation: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I suggest integrating libseccomp to further enhance the security of the builder app.
libseccomp is a BPF application in Linux that filters the kind of syscalls the application can make. For example: if the attacker somehow can run arbitrary code ( we ignore how they can do it ) through a bug within the application, they can make malicious syscalls like fork, execve. Think of it like a lightweight sandbox around the current application.
TDX provides an overall secure VM blackbox, but it doesn't prevent bad code being exploited within the application. There will be a small performance hit since BPF is very lightweight, need to measure how much it is to work with TDX.
The text was updated successfully, but these errors were encountered: