projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 45335a3) | patch
manager: prohibit clone3() in seccomp filters
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 10:44:26 +0000 (12:44 +0200)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 28 Apr 2022 17:05:30 +0000 (19:05 +0200)
commit32e7c65372945f0d3aa5d378dd1e832d62c51949
treedc9feb57fff285bcb75b99ad9b4c8eda009dca50tree | snapshot
parent45335a3eed8ee6f75b0b6e172ac035d2c6367bcecommit | diff
manager: prohibit clone3() in seccomp filters

RestrictNamespaces should block clone3() like flatpak:
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330

clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.

(cherry picked from commit 30193fe817d262bd64b9a271534792046f19d7f5)
src/shared/seccomp-util.c diff | blob | history
https://github.com/systemd/systemd.git