passt: Make process not dumpable after sandboxing

Two effects:

- ptrace() on passt and pasta can only be done by root, so that even
  if somebody gains access to the same user, they won't be able to
  check data passed in syscalls anyway. No core dumps allowed either

- /proc/PID files are owned by root:root, and they can't be read by
  the same user as the one passt or pasta are running with

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/passt.c b/passt.c
index 508d525..b5086d8 100644
--- a/passt.c
+++ b/passt.c
@@ -406,6 +406,8 @@ int main(int argc, char **argv)
 	else
 		write_pidfile(pidfile_fd, getpid());
 
+	prctl(PR_SET_DUMPABLE, 0);
+
 	seccomp(&c);
 
 	timer_init(&c, &now);