kafel
kafel copied to clipboard
google
A language and library for specifying syscall filtering policies.
Fixes #19
man seccomp: > The arch field is not unique for all calling conventions. The x86-64 ABI and the x32 ABI both use AUDIT_ARCH_X86_64 as arch, and they run on the...
libkafel.so 5x smaller (x86_64, stripped): down to 88KiB from 440KiB. Closes #20
Currently `libkafel.so` takes 440KiB (`x86_64`, release, stripped) which seems superfluous. On top of that, it has 7122 relocations and relocation definitions themselves take 167KiB. This has runtime cost as well....
bison(1) and flex(1) pose a problem for make(1) because they generate many output files. These files when properly added to dependency tree may make make(1) run rules to generate them...
Currently I find myself needing to define a base policy for any executables I run: ``` // // Kafel policy to allow nsjail a few syscalls to launch the executable....
Thank you for providing several examples in the samples folder. I want to check whether there is any possibility for me to find more sophisticated benchmarks with more complex policies...
