Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.

author Lonnie Abelbeck <lonnie@abelbeck.com>

Tue, 1 Oct 2019 14:05:09 +0000 (09:05 -0500)

committer Damien Miller <djm@mindrot.org>

Wed, 2 Oct 2019 02:24:38 +0000 (12:24 +1000)
author Lonnie Abelbeck <lonnie@abelbeck.com>
Tue, 1 Oct 2019 14:05:09 +0000 (09:05 -0500)
committer Damien Miller <djm@mindrot.org>
Wed, 2 Oct 2019 02:24:38 +0000 (12:24 +1000)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c

index 840c5232bfefaabdbdd7e37dc4eec204490698e0..39dc289e3e104e99b54763f89303e340ab64d948 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
  #ifdef __NR_stat64
         SC_DENY(__NR_stat64, EACCES),
  #endif
+#ifdef __NR_shmget
+       SC_DENY(__NR_shmget, EACCES),
+#endif
+#ifdef __NR_shmat
+       SC_DENY(__NR_shmat, EACCES),
+#endif
+#ifdef __NR_shmdt
+       SC_DENY(__NR_shmdt, EACCES),
+#endif
  
         /* Syscalls to permit */
  #ifdef __NR_brk
author	Lonnie Abelbeck <lonnie@abelbeck.com>
	Tue, 1 Oct 2019 14:05:09 +0000 (09:05 -0500)
committer	Damien Miller <djm@mindrot.org>
	Wed, 2 Oct 2019 02:24:38 +0000 (12:24 +1000)