Commit 9e8f2ee9 authored by Colin Walters's avatar Colin Walters

seccomp: Add ptrace to blacklist

It's also been a CVE source, although longer in the past.  Having it
can make exploiting race conditions and such easier.
parent 8cee4ab7
...@@ -154,8 +154,11 @@ setup_seccomp_v0 (void) ...@@ -154,8 +154,11 @@ setup_seccomp_v0 (void)
{SCMP_SYS(pivot_root)}, {SCMP_SYS(pivot_root)},
/* Utterly terrifying profiling operations */ /* Profiling operations; we expect these to be done by tools from outside
{SCMP_SYS(perf_event_open)} * the sandbox. In particular perf has been the source of many CVEs.
}; };
/* Blacklist all but unix, inet, inet6 and netlink */ /* Blacklist all but unix, inet, inet6 and netlink */
int socket_family_blacklist[] = { int socket_family_blacklist[] = {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment