With version 2.0.0 we integrated
oidc-agent to restrict the system calls that each component is allowed to perform. However, the system calls needed may vary for different operating system (versions) and architectures. Therefore, we decided to disable this feature by default. (expert) users with higher security standards can turn seccomp on by using the
--seccomp option. (It does make sense to define aliases.) However, these users will have to maintain the white-listed system calls on their own. The configuration files are located in
/etc/oidc-agent/privileges/ Because seccomp can not restrict string parameters (e.g. paths) the added security is rather small. This is because even though privilege separation is in place and e.g.
oidc-agent does not have to read and write regular files, it still needs system calls that can be sued to read and write regular files, because
oidc-agent also needs to create a tmp directory, create sockets, read and write from sockets and pipes, read time and random, ...