fix: create a separate Pipes ruleset

boustrophedon · Sep 15, 2023 · 4d2a722 · 4d2a722
1 parent de01e53
commit 4d2a722
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs
@@ -97,7 +97,6 @@ impl RuleSet for ForkAndExec {
              Sysno::execve, Sysno::execveat,
              Sysno::wait4, Sysno::waitid,
              Sysno::clone, Sysno::clone3,
-             Sysno::pipe, Sysno::pipe2
         ]
     }
 
@@ -126,3 +125,20 @@ impl RuleSet for ForkAndExec {
         "ForkAndExec"
     }
 }
+
+/// [`Pipes`] is in the danger zone because it can be used to send input to another process. That process will still be under seccomp's restrictions (see
+/// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things.
+pub struct Pipes;
+impl RuleSet for Pipes {
+    fn simple_rules(&self) -> Vec<Sysno> {
+        vec![Sysno::pipe, Sysno::pipe2]
+    }
+
+    fn conditional_rules(&self) -> HashMap<Sysno, Vec<SeccompRule>> {
+        HashMap::new()
+    }
+
+    fn name(&self) -> &'static str {
+        "Pipes"
+    }
+}