Re: [PATCH] seccomp: Add version 1 that blocks `keyctl` due to CVE-2016-0728

From: Alexander Larsson <alexl redhat com>
To: Colin Walters <walters verbum org>, ostree-list gnome org
Subject: Re: [PATCH] seccomp: Add version 1 that blocks `keyctl` due to CVE-2016-0728
Date: Fri, 22 Jan 2016 15:58:05 +0100

On ons, 2016-01-20 at 12:29 -0500, Colin Walters wrote:

This entailed actually refactoring the code now so we can have
versioned profiles.  There's some code motion, but it's all
relatively
straightforward.
---
 src/linux-user-chroot.c |   4 +-
 src/setup-seccomp.c     | 197 +++++++++++++++++++++++++++++---------
----------
 src/setup-seccomp.h     |   4 +-
 3 files changed, 126 insertions(+), 79 deletions(-)



I would probably have put a version field inside
the SyscallBlackListEntry and look at it in add_syscall_blacklist,
instead of having the "if (version > 0) { add more }" to the code.
However, that is just cosmetic.

Also, since you broke out the xdg-app code i've added options to
disable perf and strace in the sandbox, which is needed when doing
debugging.


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a bookish drug-addicted sorceror on the wrong side of the law. She's 
a supernatural green-skinned mercenary with the soul of a mighty warrior. 
They fight crime!

References:
- [PATCH] seccomp: Add version 1 that blocks `keyctl` due to CVE-2016-0728
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]