From dec9ac204104d03ba75a469a3c5f412b60deabfa Mon Sep 17 00:00:00 2001 From: Saksham Mittal Date: Sun, 17 Sep 2023 14:10:08 +0530 Subject: [PATCH] fix: doc --- src/builtins/danger_zone.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/builtins/danger_zone.rs b/src/builtins/danger_zone.rs index 72f5743..e3e8220 100644 --- a/src/builtins/danger_zone.rs +++ b/src/builtins/danger_zone.rs @@ -126,8 +126,14 @@ impl RuleSet for ForkAndExec { } } -/// [`Pipes`] is in the danger zone because it can be used to send input to another process. That process will still be under seccomp's restrictions (see +/// [`Pipes`] is in the danger zone because it can be used create a pipe for IPC. +/// That process will still be under seccomp's restrictions (see /// `tests/inherit_filters.rs`) but depending on your filter it could still do bad things. +/// +/// # Security Considerations +/// +/// An attacker could pipe arbitrary data to a vulnerable utility and attempt +/// to escape the sandbox. pub struct Pipes; impl RuleSet for Pipes { fn simple_rules(&self) -> Vec {