Open
Bug 1744849
Opened 3 years ago
Updated 3 years ago
PR_GET_SECCOMP doesn't need to be allowed
Categories
(Core :: Security: Process Sandboxing, enhancement, P3)
Tracking
()
NEW
People
(Reporter: jld, Assigned: jld)
References
Details
In bug 1257361 we stopped using PR_GET_SECCOMP
to detect threads that already have seccomp-bpf applied, but I forgot to remove it from the policy. Allowing it isn't a problem for security (revealing that seccomp-bpf is in use isn't an issue, and the kernel attack surface is trivial), but it seems to not be needed and we might as well save an instruction or two in the seccomp-bpf program.
(Further context: on kernels older than 3.17 we don't have the seccomp
syscall / SECCOMP_FILTER_FLAG_TSYNC
, so we have to iterate our own threads trying to reach a fixed point with all threads sandboxed; at first we used PR_GET_SECCOMP
, but this fails if external software has already applied a seccomp-bpf policy; see bug 1257361 for more details.)
Updated•3 years ago
|
Priority: -- → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•