lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi all,

"seccomp is a simple sandboxing mechanism for the Linux kernel.
It allows a process to make a one-way transition into a "secure" state
where it cannot make any system calls except exit(), read() and write()
to already-open file descriptors. Should it attempt any other system
calls, the kernel will terminate the process" (from Wikipedia)

I'm trying to find out whether this a feasible mechanism to use with Lua

Suppose therefore a process is running a Lua app, initializing itself
and setting up pipes as needed before setting the seccomp bit.

Now a programmer can easily deduce which system calls will be issued by
e.g. io.write/read/popen, or os.execute, and others. The same for using
libraries like e.g. luasocket.

Also, a custom memory allocator could be used to avoid memory allocation
system calls like brk().

But my question to the list and Lua implementors is this:
- what non-obvious, non-user-controlled system calls - if any - will be
triggered by pure Lua programs using only the standard libraries?
- if so, which language construct(s) would invoke these?

Thanks a lot in advance, Markus