diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2022-02-17 01:30:43 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-02-21 13:41:13 +0100 |
commit | fb70301b1358a7a65e0f6089ee9349330db2465a (patch) | |
tree | 297c86a9ba74d4163ada87adbf5551b0f9ffb623 /pasta.h | |
parent | 0515adceaa8f69a1d85ae3c8c550c37dd49b0c47 (diff) | |
download | passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar.gz passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar.bz2 passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar.lz passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar.xz passt-fb70301b1358a7a65e0f6089ee9349330db2465a.tar.zst passt-fb70301b1358a7a65e0f6089ee9349330db2465a.zip |
passt: Make process not dumpable after sandboxing
Two effects:
- ptrace() on passt and pasta can only be done by root, so that even
if somebody gains access to the same user, they won't be able to
check data passed in syscalls anyway. No core dumps allowed either
- /proc/PID files are owned by root:root, and they can't be read by
the same user as the one passt or pasta are running with
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'pasta.h')
0 files changed, 0 insertions, 0 deletions