Browse code
Block additional ptrace related syscalls in default seccomp profile
Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Justin Cormack authored on 2015/12/30 02:02:11Showing 1 changed files
| ... | ... |
@@ -112,6 +112,13 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 112 | 112 |
Args: []*configs.Arg{},
|
| 113 | 113 |
}, |
| 114 | 114 |
{
|
| 115 |
+ // Restrict process inspection capabilities |
|
| 116 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 117 |
+ Name: "kcmp", |
|
| 118 |
+ Action: configs.Errno, |
|
| 119 |
+ Args: []*configs.Arg{},
|
|
| 120 |
+ }, |
|
| 121 |
+ {
|
|
| 115 | 122 |
// Sister syscall of kexec_load that does the same thing, |
| 116 | 123 |
// slightly different arguments |
| 117 | 124 |
Name: "kexec_file_load", |
| ... | ... |
@@ -210,6 +217,20 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 210 | 210 |
Args: []*configs.Arg{},
|
| 211 | 211 |
}, |
| 212 | 212 |
{
|
| 213 |
+ // Restrict process inspection capabilities |
|
| 214 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 215 |
+ Name: "process_vm_readv", |
|
| 216 |
+ Action: configs.Errno, |
|
| 217 |
+ Args: []*configs.Arg{},
|
|
| 218 |
+ }, |
|
| 219 |
+ {
|
|
| 220 |
+ // Restrict process modification capabilities |
|
| 221 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 222 |
+ Name: "process_vm_writev", |
|
| 223 |
+ Action: configs.Errno, |
|
| 224 |
+ Args: []*configs.Arg{},
|
|
| 225 |
+ }, |
|
| 226 |
+ {
|
|
| 213 | 227 |
// Already blocked by dropping CAP_PTRACE |
| 214 | 228 |
Name: "ptrace", |
| 215 | 229 |
Action: configs.Errno, |