Skip to content

seccomp v0.2.3

Latest
Latest

Choose a tag to compare

View all tags
@thaJeztah thaJeztah released this 06 May 12:55
seccomp/v0.2.3
This tag was signed with the committer’s verified signature.
thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C
Verified
Learn about vigilant mode.
836ae4d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

Revert "seccomp: Block socketcall to prevent AF_ALG filter bypass"

Blocking whole socketcall had much bigger impact on x86 binaries than
anticipated. Drop the seccomp based block in favor of AppArmor/SELinux
based one.

Seccomp cannot filter socketcall(2) arguments because the address family
is behind a userspace pointer that BPF cannot dereference.

Only an LSM (AppArmor or SELinux) can deny AF_ALG via the
security_socket_create hook in the socketcall path.

Full Changelog: seccomp/v0.2.2...seccomp/v0.2.3

Assets 2
Loading