projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 859d9cc) | patch
manager: prohibit clone3() in seccomp filters
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 10:44:26 +0000 (12:44 +0200)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 28 Apr 2022 17:18:37 +0000 (19:18 +0200)
commit4bb93c69c633b5c10ad7e36ba198edc243d99f4b
tree9a4b78a6a6275fc0ba331d091fb265f30e505466tree | snapshot
parent859d9ccddaae65ed480fc34c9bd67c02a50fd7e1commit | diff
manager: prohibit clone3() in seccomp filters

RestrictNamespaces should block clone3() like flatpak:
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330

clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.

(cherry picked from commit 30193fe817d262bd64b9a271534792046f19d7f5)
(cherry picked from commit 32e7c65372945f0d3aa5d378dd1e832d62c51949)
src/shared/seccomp-util.c diff | blob | history
https://github.com/systemd/systemd.git