passt: Make process not dumpable after sandboxing
Two effects: - ptrace() on passt and pasta can only be done by root, so that even if somebody gains access to the same user, they won't be able to check data passed in syscalls anyway. No core dumps allowed either - /proc/PID files are owned by root:root, and they can't be read by the same user as the one passt or pasta are running with Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
0515adceaa
commit
fb70301b13
1 changed files with 2 additions and 0 deletions
2
passt.c
2
passt.c
|
@ -406,6 +406,8 @@ int main(int argc, char **argv)
|
||||||
else
|
else
|
||||||
write_pidfile(pidfile_fd, getpid());
|
write_pidfile(pidfile_fd, getpid());
|
||||||
|
|
||||||
|
prctl(PR_SET_DUMPABLE, 0);
|
||||||
|
|
||||||
seccomp(&c);
|
seccomp(&c);
|
||||||
|
|
||||||
timer_init(&c, &now);
|
timer_init(&c, &now);
|
||||||
|
|
Loading…
Reference in a new issue