Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're both half right. The trick is to use LD_PRELOAD to inject a SECCOMP filter. Then you can block execve(). See https://justine.lol/pledge/ and https://github.com/jart/cosmopolitan/blob/master/tool/build/...


this, or custom lsm modules so they’re harder to turn off.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: