On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote: > Blocking the 'fork' syscall on Linux is not sufficient to block the > 'fork' C library function, because the latter is essentially always > implemented using the 'clone' syscall these days. > > Blocking 'clone' is difficult as that also blocks pthread creation, > so it needs careful filtering. > > Daniel P. Berrangé (5): > seccomp: allow action to be customized per syscall > seccomp: add unit test for seccomp filtering > seccomp: fix blocking of process spawning > seccomp: block use of clone3 syscall > seccomp: block setns, unshare and execveat syscalls > > MAINTAINERS | 1 + > softmmu/qemu-seccomp.c | 282 +++++++++++++++++++++++++++++------- > -- > tests/unit/meson.build | 4 + > tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++ > 4 files changed, 490 insertions(+), 66 deletions(-) > create mode 100644 tests/unit/test-seccomp.c > > -- > 2.31.1 > >
Acked-by: Eduardo Otubo <ot...@redhat.com> -- Eduardo Otubo
signature.asc
Description: This is a digitally signed message part
