[linux-user-chroot] seccomp: Add ptrace to blacklist

From: Colin Walters <walters src gnome org>
To: commits-list gnome org
Cc:
Subject: [linux-user-chroot] seccomp: Add ptrace to blacklist
Date: Sat, 29 Aug 2015 16:40:59 +0000 (UTC)

commit 9e8f2ee9cd7a0313a6ce6ced98118796cb77fe88
Author: Colin Walters <walters verbum org>
Date:   Sat Aug 29 12:39:29 2015 -0400

    seccomp: Add ptrace to blacklist
    
    It's also been a CVE source, although longer in the past.  Having it
    can make exploiting race conditions and such easier.

 src/setup-seccomp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/src/setup-seccomp.c b/src/setup-seccomp.c
index 31e75ff..fc00227 100644
--- a/src/setup-seccomp.c
+++ b/src/setup-seccomp.c
@@ -154,8 +154,11 @@ setup_seccomp_v0 (void)
     {SCMP_SYS(pivot_root)},
     {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
 
-    /* Utterly terrifying profiling operations */
-    {SCMP_SYS(perf_event_open)}
+    /* Profiling operations; we expect these to be done by tools from outside
+     * the sandbox.  In particular perf has been the source of many CVEs.
+     */
+    {SCMP_SYS(perf_event_open)},
+    {SCMP_SYS(ptrace)}
   };
   /* Blacklist all but unix, inet, inet6 and netlink */
   int socket_family_blacklist[] = {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]