Skip to content

Commit

Permalink
Fliter out TIOCSTI in Seccomp profile
Browse files Browse the repository at this point in the history
  • Loading branch information
Moe-hacker committed Nov 23, 2024
1 parent 16f77dc commit 3cc74da
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions src/seccomp.c
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
}
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0);
if (ruri_is_in_caplist(container->drop_caplist, CAP_SYS_ADMIN)) {
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_CMP(1, SCMP_CMP_EQ, TIOCSTI));
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0);
Expand Down

0 comments on commit 3cc74da

Please sign in to comment.