Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Small misc changes #2885

Merged
merged 5 commits into from
Apr 20, 2023
Merged

Small misc changes #2885

merged 5 commits into from
Apr 20, 2023

Conversation

stevenengler
Copy link
Contributor

Removed some unused C macro constant definitions, fixed some mistakes in the documentation, and made some prctl changes.

@sporksmith I removed PR_GET_SECCOMP and PR_SET_SECCOMP support since I don't think we want the plugin changing seccomp settings, but wanted to check with you first.

@stevenengler stevenengler self-assigned this Apr 19, 2023
@github-actions github-actions bot added Component: Build Build/install tools and dependencies Component: Documentation In-repository documentation, under docs/ Component: Main Composing the core Shadow executable labels Apr 19, 2023
@stevenengler stevenengler merged commit 0ff58b3 into shadow:main Apr 20, 2023
21 checks passed
@sporksmith
Copy link
Contributor

I removed PR_GET_SECCOMP and PR_SET_SECCOMP support since I don't think we want the plugin changing seccomp settings, but wanted to check with you first.

I had been thinking that allowing seccomp might be ok, since filters can only be "layered on", not modified or removed. From seccomp(2):

If prctl(2) or seccomp() is allowed by the attached filter, further filters may be added. This will increase evaluation time, but allows for further reduction of the attack surface during execution of a thread.

OTOH if a filter is added that ends up blocking a syscall that the shim is trying to make natively, things could get... weird and broken. So yeah, blocking it for now makes sense until if and when we need it and actually think through and test it.

@stevenengler stevenengler deleted the small-updates branch April 20, 2023 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sporksmith sporksmith sporksmith approved these changes

Assignees

@stevenengler stevenengler

Labels
Component: Build Build/install tools and dependencies Component: Documentation In-repository documentation, under docs/ Component: Main Composing the core Shadow executable
Projects
None yet
Milestone
Code health and maintenance
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stevenengler @sporksmith