Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Block process execution with seccomp on linux/amd64 #13753
On newer linux kernels, we can use prctl/seccomp to lock down the process and prevent the worst of the worst, like execution. This is used by e.g. chrome/firefox sandbox and so on.
This is just another level of security, java's security manager is not perfect, and there are often bugs in java itself, so it would good to have another level of defense.
See https://en.wikipedia.org/wiki/Seccomp for more information
This PR blocks execve(), fork(), and vfork(), returning EACCES instead, so even with security manager disabled, process execution is still prevented.
added a commit
this pull request
Sep 25, 2015
referenced this pull request
Jun 4, 2016
More like, launching processes is bullshit for a daemon process to do. Under any circumstances. Manage this stuff with startup scripts, etc. If you don't agree with me, open an issue if you like. But this is an important piece, to ensure remote execution is something that doesn't happen again.
For others that might not click through to #18736, if all you want to do is kill on