projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c550360) | patch
manager: prohibit clone3() in seccomp filters
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 10:44:26 +0000 (12:44 +0200)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 20:04:31 +0000 (22:04 +0200)
commit30193fe817d262bd64b9a271534792046f19d7f5
treea4b578e7bf2de2bf503e08a6c603fae28ee6b78atree | snapshot
parentc5503601e21d7eea67f07417a680237db238d50ccommit | diff
manager: prohibit clone3() in seccomp filters

RestrictNamespaces should block clone3() like flatpak:
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330

clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.
src/shared/seccomp-util.c diff | blob | history
https://github.com/systemd/systemd.git