[PATCH] helper: Add perf and ptrace to seccomp blacklist
Colin Walters
walters at verbum.org
Tue Sep 1 16:00:50 UTC 2015
Note that I copied this xdg-app blacklist into linux-user-chroot:
https://git.gnome.org/browse/linux-user-chroot/commit/?id=8cee4ab7345f126d1dec55b7ca1f28e8090a58d3
We should figure out a better way down the line to share code - maybe
we can share a setup-seccomp.c?
Possibly in the long run we'll end up with diverging blacklists, as
linux-user-chroot can be a lot more aggressive, as its primary
audience is build side, not generic applications. We'll see.
But in this patch I added a big comment on how we should share code,
and in particular credit sandstorm.io for some of these filters.
(Although they may have gotten some of them from Android or Chromium?)
Going back to the high level topic - let's add perf and ptrace to the
blacklist. We expect profiling to be done from a non-sandboxed
terminal, or a less-restricted IDE type process which can look at the
namespace of other apps and the desktop/kernel.
---
lib/xdg-app-helper.c | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-helper-Add-perf-and-ptrace-to-seccomp-blacklist.patch
Type: text/x-patch
Size: 3364 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20150901/509ac185/attachment.bin>
More information about the xdg-app
mailing list