Enable `process_vm_readv` and `process_vm_writev` for kernel > 4.8
These syscalls were disabled in #18971 due to them requiring CAP_PTRACE. CAP_PTRACE was blocked by default due to a ptrace related exploit. This has been patched in the Linux kernel (version 4.8) and thus `ptrace` has been re-enabled. However, these associated syscalls seem to have been left behind. This commit brings them in line with `ptrace`, and re-enables it for kernel > 4.8. Signed-off-by: clubby789 <jamie@hill-daniel.co.uk>
This commit is contained in:
parent
2ae2ddf51d
commit
d39b075302
|
@ -401,6 +401,8 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"names": [
|
"names": [
|
||||||
|
"process_vm_readv",
|
||||||
|
"process_vm_writev",
|
||||||
"ptrace"
|
"ptrace"
|
||||||
],
|
],
|
||||||
"action": "SCMP_ACT_ALLOW",
|
"action": "SCMP_ACT_ALLOW",
|
||||||
|
|
|
@ -390,7 +390,11 @@ func DefaultProfile() *Seccomp {
|
||||||
Args: []*specs.LinuxSeccompArg{},
|
Args: []*specs.LinuxSeccompArg{},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Names: []string{"ptrace"},
|
Names: []string{
|
||||||
|
"process_vm_readv",
|
||||||
|
"process_vm_writev",
|
||||||
|
"ptrace",
|
||||||
|
},
|
||||||
Action: specs.ActAllow,
|
Action: specs.ActAllow,
|
||||||
Includes: Filter{
|
Includes: Filter{
|
||||||
MinKernel: &KernelVersion{4, 8},
|
MinKernel: &KernelVersion{4, 8},
|
||||||
|
|
Loading…
Reference in New Issue