Browse code
Merge pull request #18971 from justincormack/ptrace
Block additional ptrace related syscalls in default seccomp profile
Arnaud Porterie authored on 2015/12/30 04:56:51Showing 1 changed files
| ... | ... |
@@ -118,6 +118,13 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 118 | 118 |
Args: []*configs.Arg{},
|
| 119 | 119 |
}, |
| 120 | 120 |
{
|
| 121 |
+ // Restrict process inspection capabilities |
|
| 122 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 123 |
+ Name: "kcmp", |
|
| 124 |
+ Action: configs.Errno, |
|
| 125 |
+ Args: []*configs.Arg{},
|
|
| 126 |
+ }, |
|
| 127 |
+ {
|
|
| 121 | 128 |
// Sister syscall of kexec_load that does the same thing, |
| 122 | 129 |
// slightly different arguments |
| 123 | 130 |
Name: "kexec_file_load", |
| ... | ... |
@@ -216,6 +223,20 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 216 | 216 |
Args: []*configs.Arg{},
|
| 217 | 217 |
}, |
| 218 | 218 |
{
|
| 219 |
+ // Restrict process inspection capabilities |
|
| 220 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 221 |
+ Name: "process_vm_readv", |
|
| 222 |
+ Action: configs.Errno, |
|
| 223 |
+ Args: []*configs.Arg{},
|
|
| 224 |
+ }, |
|
| 225 |
+ {
|
|
| 226 |
+ // Restrict process modification capabilities |
|
| 227 |
+ // Already blocked by dropping CAP_PTRACE |
|
| 228 |
+ Name: "process_vm_writev", |
|
| 229 |
+ Action: configs.Errno, |
|
| 230 |
+ Args: []*configs.Arg{},
|
|
| 231 |
+ }, |
|
| 232 |
+ {
|
|
| 219 | 233 |
// Already blocked by dropping CAP_PTRACE |
| 220 | 234 |
Name: "ptrace", |
| 221 | 235 |
Action: configs.Errno, |