[pypy-issue] [issue1003] Sandbox code uses no-longer-working seccom

Da_Blitz tracker at bugs.pypy.org
Thu Jan 19 12:32:02 CET 2012

Da_Blitz <pypy at pocketnix.org> added the comment:

There are upcoming changes to seccomp that may make it work with pypy. currently
a seccomp enabled version of pypy will not work due to calls to mmap and sbrk
failing (as these are not on the list of allowed syscalls) however with the new
extensions it will be possible to dynamically filter allowed syscalls with a
'syscall firewall' (links below)

i had plans to work on this once the feature hit the mainline kernel but don't
mind working with someone if they are interested, should be as simple as moving
to the prctl interface, writing a new policy and loading it via prctl and then
some testing to ensure we got all the syscalls in the policy

http://lwn.net/SubscriberLink/475678/655d35a19825fd7d/ (subscriber link as
content is not 'public' until next week)

nosy: +dablitz

PyPy bug tracker <tracker at bugs.pypy.org>

More information about the pypy-issue mailing list