The most significant change is an initial implementation of a secondary sandbox based on seccomp filter, as recently merged to Ubuntu 12.04. This secondary sandbox is pretty powerful, but I'll go into more details in a subsequent post.
For now, suffice to say I'm interested in testing of this new build, e.g.
- Does it compile for you? (I've added various new gcc flags etc).
- Any runtime regressions?
- Does it run ok on 64-bit Ubuntu 12.04-beta2 or newer?
This last question is key as that is the configuration that will automatically use a seccomp filter. The astute among you will note that beta2 is not due out until tomorrow, but an apt-get dist-upgrade from beta1 will pull in the kernel that you need.
Will Drewry's excellent work on seccomp filter is the most exciting Linux security feature in a long time and the eventual vsftpd combined sandbox that will result should be a very tough nut to crack indeed.