Re: [PATCH] seccomp: Add version 1 that blocks `keyctl` due to CVE-2016-0728

On ons, 2016-01-20 at 12:29 -0500, Colin Walters wrote:
This entailed actually refactoring the code now so we can have
versioned profiles.  There's some code motion, but it's all
 src/linux-user-chroot.c |   4 +-
 src/setup-seccomp.c     | 197 +++++++++++++++++++++++++++++---------
 src/setup-seccomp.h     |   4 +-
 3 files changed, 126 insertions(+), 79 deletions(-)

I would probably have put a version field inside
the SyscallBlackListEntry and look at it in add_syscall_blacklist,
instead of having the "if (version > 0) { add more }" to the code.
However, that is just cosmetic.

Also, since you broke out the xdg-app code i've added options to
disable perf and strace in the sandbox, which is needed when doing

 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a bookish drug-addicted sorceror on the wrong side of the law. She's 
a supernatural green-skinned mercenary with the soul of a mighty warrior. 
They fight crime! 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]