diff options
author | Kees Cook <keescook@chromium.org> | 2016-05-26 20:47:01 +0200 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-06-14 19:54:38 +0200 |
commit | 58d0a862f573c3354fa912603ef5a4db188774e7 (patch) | |
tree | 7d7f4c5ad0c47c9353da6a4528aeaab1f4d2088d /kernel/seccomp.c | |
parent | security: tomoyo: simplify the gc kthread creation (diff) | |
download | linux-58d0a862f573c3354fa912603ef5a4db188774e7.tar.xz linux-58d0a862f573c3354fa912603ef5a4db188774e7.zip |
seccomp: add tests for ptrace hole
One problem with seccomp was that ptrace could be used to change a
syscall after seccomp filtering had completed. This was a well documented
limitation, and it was recommended to block ptrace when defining a filter
to avoid this problem. This can be quite a limitation for containers or
other places where ptrace is desired even under seccomp filters.
This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Diffstat (limited to 'kernel/seccomp.c')
0 files changed, 0 insertions, 0 deletions