seccomp: Add ptrace to blacklist

It's also been a CVE source, although longer in the past. Having it can make exploiting race conditions and such easier.
author: Colin Walters <walters@verbum.org> 2015-08-29 12:39:29 -0400
committer: Colin Walters <walters@verbum.org> 2015-08-29 12:39:29 -0400
commit: 9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88 (patch)
tree: 6beb2f691695a3d85bf592820c2a8a1be51804b2
parent: 8cee4ab7345f126d1dec55b7ca1f28e8090a58d3 (diff)
download: linux-user-chroot-9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/src/setup-seccomp.c b/src/setup-seccomp.c
index 31e75ff..fc00227 100644
--- a/src/setup-seccomp.c
+++ b/src/setup-seccomp.c
@@ -154,8 +154,11 @@ setup_seccomp_v0 (void)
     {SCMP_SYS(pivot_root)},
     {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
 
-    /* Utterly terrifying profiling operations */
-    {SCMP_SYS(perf_event_open)}
+    /* Profiling operations; we expect these to be done by tools from outside
+     * the sandbox.  In particular perf has been the source of many CVEs.
+     */
+    {SCMP_SYS(perf_event_open)},
+    {SCMP_SYS(ptrace)}
   };
   /* Blacklist all but unix, inet, inet6 and netlink */
   int socket_family_blacklist[] = {
author	Colin Walters <walters@verbum.org>	2015-08-29 12:39:29 -0400
committer	Colin Walters <walters@verbum.org>	2015-08-29 12:39:29 -0400
commit	9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88 (patch)
tree	6beb2f691695a3d85bf592820c2a8a1be51804b2
parent	8cee4ab7345f126d1dec55b7ca1f28e8090a58d3 (diff)
download	linux-user-chroot-9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88.tar.gz