作者: Aleksey Kurchuk , Angelos D. Keromytis
关键词:
摘要: The systrace system-call interposition mechanism has become a popular method for containing untrusted code through program-specific policies enforced by user-level daemons. We describe our extensions to that allow sand-boxed processes further limit their children issuing dynamically constructed policies. discuss the daemon and OpenBSD kernel, as well simple API constructing present two separate implementations of scheme, compare perfor mance with base system. show how can be used such asftpd, sendmail, sshd.