diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2022-10-14 15:25:35 +1100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-10-15 02:10:36 +0200 |
commit | fb449b16bd8ccf8b751dfa5aee54cb7de0525706 (patch) | |
tree | d980c9a46b9cf94ee0320e8d6aa0c2b3ec378c23 /netlink.h | |
parent | c22ebccba8a09065e59d080ac7a2969a267974ce (diff) | |
download | passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar.gz passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar.bz2 passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar.lz passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar.xz passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.tar.zst passt-fb449b16bd8ccf8b751dfa5aee54cb7de0525706.zip |
isolation: Prevent any child processes gaining capabilities
We drop our own capabilities, but it's possible that processes we exec()
could gain extra privilege via file capabilities. It shouldn't be possible
for us to exec() anyway due to seccomp() and our filesystem isolation. But
just in case, zero the bounding and inheritable capability sets to prevent
any such child from gainin privilege.
Note that we do this *after* spawning the pasta shell/command (if any),
because we do want the user to be able to give that privilege if they want.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'netlink.h')
0 files changed, 0 insertions, 0 deletions