Remix.run Logo
Kaxo 9 hours ago

The seccomp-BPF rules seem almost unusably strict. What is this even designed to be used to run?

gwerbin 8 hours ago | parent | next [-]

It says on their Github profile that they are building some kind of nowhere detection product. Maybe in that context, a very strict syscall allowlist is useful or good?

> It is designed for CI pipelines, CTF jail challenges, and lightweight code evaluation

Looking at the list, it seems pretty good for that. What does a CI runner that just needs to run GCC or whatever really need?

Edit: no open does seem restrictive. Not that it's bad security (not my area of expertise), but how many useful programs use open that are just off limits here?

iririririr 8 hours ago | parent | prev [-]

allowing individual syscall is the sandbox standard today on BSDs and optin on linux. project have some issues but being too restrictive is not one