[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/5] seccomp: fix hole in blocking forks
|
From: |
Eduardo Terrell Ferrari Otubo |
|
Subject: |
Re: [PATCH 0/5] seccomp: fix hole in blocking forks |
|
Date: |
Wed, 04 Aug 2021 10:05:38 +0200 |
|
User-agent: |
Evolution 3.40.3 (by Flathub.org) |
On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote:
> Blocking the 'fork' syscall on Linux is not sufficient to block the
> 'fork' C library function, because the latter is essentially always
> implemented using the 'clone' syscall these days.
>
> Blocking 'clone' is difficult as that also blocks pthread creation,
> so it needs careful filtering.
>
> Daniel P. Berrangé (5):
> seccomp: allow action to be customized per syscall
> seccomp: add unit test for seccomp filtering
> seccomp: fix blocking of process spawning
> seccomp: block use of clone3 syscall
> seccomp: block setns, unshare and execveat syscalls
>
> MAINTAINERS | 1 +
> softmmu/qemu-seccomp.c | 282 +++++++++++++++++++++++++++++-------
> --
> tests/unit/meson.build | 4 +
> tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
> 4 files changed, 490 insertions(+), 66 deletions(-)
> create mode 100644 tests/unit/test-seccomp.c
>
> --
> 2.31.1
>
>
Acked-by: Eduardo Otubo <otubo@redhat.com>
--
Eduardo Otubo
signature.asc
Description: This is a digitally signed message part
- [PATCH 0/5] seccomp: fix hole in blocking forks, Daniel P . Berrangé, 2021/08/02
- [PATCH 1/5] seccomp: allow action to be customized per syscall, Daniel P . Berrangé, 2021/08/02
- [PATCH 4/5] seccomp: block use of clone3 syscall, Daniel P . Berrangé, 2021/08/02
- [PATCH 5/5] seccomp: block setns, unshare and execveat syscalls, Daniel P . Berrangé, 2021/08/02
- [PATCH 2/5] seccomp: add unit test for seccomp filtering, Daniel P . Berrangé, 2021/08/02
- [PATCH 3/5] seccomp: fix blocking of process spawning, Daniel P . Berrangé, 2021/08/02
- Re: [PATCH 0/5] seccomp: fix hole in blocking forks,
Eduardo Terrell Ferrari Otubo <=