Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
run: Add an errno value to seccomp filters
At the moment, if we block a syscall we always make it fail with EPERM, but this is risky: user-space libraries can start to use new replacements for old syscalls at any time, and will often treat EPERM as a fatal error. For new syscalls, we should make the syscall fail with ENOSYS, which is indistinguishable from running on an older kernel and will cause fallback to an older implementation, for example clone3() to clone(). In future we should probably move from EPERM to ENOSYS for some of the syscalls we already block, but for now keep the status quo. This is a prerequisite for fixing the vulnerability tracked as GHSA-67h7-w3jq-vh4q. Signed-off-by: Simon McVittie <smcv@collabora.com>
- Loading branch information
1 parent
9914dff
commit e26ac75
Showing
1 changed file
with
36 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters