Merge eb90d2a into a57028b

src/builtins/danger_zone.rs

@@ -125,3 +125,23 @@ impl RuleSet for ForkAndExec {
         "ForkAndExec"
     }
 }
+
+/// [`Pipes`] is in the danger zone because it can be used create a pipe for IPC.
+///
+/// # Security Considerations
+/// The piped process will still be under seccomp's restrictions (see
+/// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things.
+pub struct Pipes;
+impl RuleSet for Pipes {
+    fn simple_rules(&self) -> Vec<Sysno> {
+        vec![Sysno::pipe, Sysno::pipe2]
+    }
+
+    fn conditional_rules(&self) -> HashMap<Sysno, Vec<SeccompRule>> {
+        HashMap::new()
+    }
+
+    fn name(&self) -> &'static str {
+        "Pipes"
+    }
+}