From 30c81ce01fe614c0de0580a4cad7d3f14e6af06f Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Tue, 9 Aug 2022 16:38:12 +0200 Subject: [PATCH] configs: block sched_setaffinity where max_cpus is used --- configs/bash-with-fake-geteuid.cfg | 2 +- configs/xchat-with-net.cfg | 15 +++++++++------ configs/znc-with-net.cfg | 16 ++++++++++------ 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg index ef873e1..ad22c81 100644 --- a/configs/bash-with-fake-geteuid.cfg +++ b/configs/bash-with-fake-geteuid.cfg @@ -176,7 +176,7 @@ mount { } seccomp_string: "ERRNO(1337) { geteuid } " -seccomp_string: "ERRNO(0) { ptrace } " +seccomp_string: "ERRNO(1) { ptrace, sched_setaffinity } " seccomp_string: "KILL_PROCESS { syslog } " seccomp_string: "DEFAULT ALLOW " diff --git a/configs/xchat-with-net.cfg b/configs/xchat-with-net.cfg index 275c370..6a4873a 100644 --- a/configs/xchat-with-net.cfg +++ b/configs/xchat-with-net.cfg @@ -133,12 +133,15 @@ mount { is_bind: true } -seccomp_string: "KILL_PROCESS {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: "}" -seccomp_string: "DEFAULT ALLOW" +seccomp_string: "KILL_PROCESS { " +seccomp_string: " ptrace, " +seccomp_string: " process_vm_readv, " +seccomp_string: " process_vm_writev " +seccomp_string: "}, " +seccomp_string: "ERRNO(1) { " +seccomp_string: " sched_setaffinity " +seccomp_string: "} " +seccomp_string: "DEFAULT ALLOW " exec_bin { path: "/usr/bin/xchat" diff --git a/configs/znc-with-net.cfg b/configs/znc-with-net.cfg index 13c5107..fbfd984 100644 --- a/configs/znc-with-net.cfg +++ b/configs/znc-with-net.cfg @@ -15,6 +15,7 @@ cwd: "/home/znc" daemon: true time_limit: 0 +max_cpus: 1 envar: "HOME=/home/znc" envar: "TMP=/tmp" @@ -122,12 +123,15 @@ mount { mandatory: true } -seccomp_string: "KILL_PROCESS {" -seccomp_string: " ptrace," -seccomp_string: " process_vm_readv," -seccomp_string: " process_vm_writev" -seccomp_string: "}" -seccomp_string: "DEFAULT ALLOW" +seccomp_string: "KILL_PROCESS { " +seccomp_string: " ptrace, " +seccomp_string: " process_vm_readv, " +seccomp_string: " process_vm_writev " +seccomp_string: "}, " +seccomp_string: "ERRNO(1) { " +seccomp_string: " sched_setaffinity " +seccomp_string: "} " +seccomp_string: "DEFAULT ALLOW " exec_bin { path: "/usr/bin/znc"