diff options
author | Colin Walters <walters@verbum.org> | 2015-08-29 12:39:29 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2015-08-29 12:39:29 -0400 |
commit | 9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88 (patch) | |
tree | 6beb2f691695a3d85bf592820c2a8a1be51804b2 | |
parent | 8cee4ab7345f126d1dec55b7ca1f28e8090a58d3 (diff) | |
download | linux-user-chroot-9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88.tar.gz |
seccomp: Add ptrace to blacklist
It's also been a CVE source, although longer in the past. Having it
can make exploiting race conditions and such easier.
-rw-r--r-- | src/setup-seccomp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/setup-seccomp.c b/src/setup-seccomp.c index 31e75ff..fc00227 100644 --- a/src/setup-seccomp.c +++ b/src/setup-seccomp.c @@ -154,8 +154,11 @@ setup_seccomp_v0 (void) {SCMP_SYS(pivot_root)}, {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - /* Utterly terrifying profiling operations */ - {SCMP_SYS(perf_event_open)} + /* Profiling operations; we expect these to be done by tools from outside + * the sandbox. In particular perf has been the source of many CVEs. + */ + {SCMP_SYS(perf_event_open)}, + {SCMP_SYS(ptrace)} }; /* Blacklist all but unix, inet, inet6 and netlink */ int socket_family_blacklist[] = { |