seccomp: Add ptrace to blacklist

It's also been a CVE source, although longer in the past. Having it can make exploiting race conditions and such easier.

seccomp: Add ptrace to blacklist
It's also been a CVE source, although longer in the past. Having it can make exploiting race conditions and such easier.
9e8f2ee9 · Colin Walters · 8cee4ab7 · 9e8f2ee9
Commit 9e8f2ee9 authored Aug 29, 2015 by Colin Walters
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

src/setup-seccomp.c src/setup-seccomp.c +5 -2

No files found.
--- a/src/setup-seccomp.c
+++ b/src/setup-seccomp.c
@@ -154,8 +154,11 @@ setup_seccomp_v0 (void)
    {SCMP_SYS(pivot_root)},
    {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},

-    /* Utterly terrifying profiling operations */
-    {SCMP_SYS(perf_event_open)}
+    /* Profiling operations; we expect these to be done by tools from outside
+     * the sandbox.  In particular perf has been the source of many CVEs.
+     */
+    {SCMP_SYS(perf_event_open)},
+    {SCMP_SYS(ptrace)}
  };
  /* Blacklist all but unix, inet, inet6 and netlink */
  int socket_family_blacklist[] = {