Skip to content

Commit

Permalink
Fix Built-in Seccomp profile
Browse files Browse the repository at this point in the history
  • Loading branch information
@Moe-hacker
Moe-hacker committed Dec 18, 2024
1 parent c24139e commit 04ec4c6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/seccomp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount2), 0);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(unshare), 0);
// clone(2) can have the same effect as unshare(2), we deny it.
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clone), 1, SCMP_CMP(0, SCMP_CMP_MASKED_EQ, CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET));
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clone), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET, CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET));
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86), 0);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86old), 0);
}
Expand Down

0 comments on commit 04ec4c6

Please sign in to comment.