|
|
|
|
|
|
by jmillikin
438 days ago
|
|
|
> use SECCOMP_SET_MODE_STRICT to isolate the child process. But at that
> point, what are you even doing? Probably nothing useful.
The classic example of a fully-seccomp'd subprocess is decoding / decompression. If you want to execute ffmpeg on untrusted user input then seccomp is a sandbox that allows full-power SIMD, and the code has no reason to perform syscalls other than read/write to its input/output stream.On the client side there's font shaping, PDF rendering, image decoding -- historically rich hunting grounds for browser CVEs. |
|
|
Yes. I've run JPEG 2000 decoders in a subprocess for that reason.