[Dnsmasq-discuss] [PATCH] implemented sandbox

Denis Solonkov solonkovda at google.com
Tue Sep 5 11:32:37 BST 2017


Hi Simon,

As part of my Google summer internship project I have implemented a sandbox
for dnsmasq, based on Linux seccomp-bpf and mount namespace, with tests and
documentation.

Such sandbox provides defense in depth to dnsmasq, by restricting what
files it can access and which syscalls it can make, in case remote code
execution vulnerabilities are discovered in dnsmasq.

Would you be interested in reviewing my patches and maybe integrate them in
dnsmasq?

Please find attached my patch against master head, but let me know if there
is another way for us to review and discuss the change.

Kind regards,

Denis Solonkov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170905/91f1baff/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq_sandbox.patch.tar.gz
Type: application/gzip
Size: 14583 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170905/91f1baff/attachment-0001.bin>


More information about the Dnsmasq-discuss mailing list