vuinputd/docs/SECURITY.md
2025-12-10 22:46:17 +00:00

571 B

Security

Small code base

Fuzzing

Audit

Unsafe code

Known problem: A lot of unsafe code. Open are ideas to mitigate this issue.

seccomp, AppArmor, SELinux, cgroups mounts, /sys read-write

This is a big TODO. Which permissions can be reduced. Now we assume we are quite privileagued:

  • We have all Linux kernel capabilities,
  • The default seccomp profile is disabled,
  • The default AppArmor profile is disabled,
  • The default SELinux process label is disabled,
  • all host devices are accessible,
  • /sys is read-write,
  • cgroups mount is read-write.