passt: Make process not dumpable after sandboxing

Two effects:

- ptrace() on passt and pasta can only be done by root, so that even
  if somebody gains access to the same user, they won't be able to
  check data passed in syscalls anyway. No core dumps allowed either

- /proc/PID files are owned by root:root, and they can't be read by
  the same user as the one passt or pasta are running with

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2022-02-17 01:30:43 +01:00
parent 0515adceaa
commit fb70301b13

View file

@ -406,6 +406,8 @@ int main(int argc, char **argv)
else
write_pidfile(pidfile_fd, getpid());
prctl(PR_SET_DUMPABLE, 0);
seccomp(&c);
timer_init(&c, &now);