From 17e710f2c401eb791f7b80c07872e2dc311d6b54 Mon Sep 17 00:00:00 2001 From: Ryan Voots Date: Mon, 23 Oct 2017 12:32:28 -0700 Subject: [PATCH] Fix formatting change date --- blog/2017/10/{10 => 23}/seccomp-and-you/index.markdown | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) rename blog/2017/10/{10 => 23}/seccomp-and-you/index.markdown (95%) diff --git a/blog/2017/10/10/seccomp-and-you/index.markdown b/blog/2017/10/23/seccomp-and-you/index.markdown similarity index 95% rename from blog/2017/10/10/seccomp-and-you/index.markdown rename to blog/2017/10/23/seccomp-and-you/index.markdown index 46f1b61..1bb43f3 100644 --- a/blog/2017/10/10/seccomp-and-you/index.markdown +++ b/blog/2017/10/23/seccomp-and-you/index.markdown @@ -55,7 +55,7 @@ means allowing time(), and similar calls, and sleep() along with Time::HiRes. - ruby_timer_thread This one is a special ruby specific profile. It allows ruby to create a thread that it uses internally, and only allows that thread creation with a specific set of flags, -CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID +`CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID` This prevents it from doing arbitrary fork() calls, while still allowing the interpreter to run. It also allows for pipe2 to be called to create communication between the two threads. @@ -81,13 +81,14 @@ There's also some other profiles like ruby_timer_thread specifically for allowin to do similar things to ruby (create a thread, use epoll, etc.). -=== Handling flags to syscalls +Handling flags to syscalls +========================== The way the rules are defined allow syscalls like open() to not need special handling. Since many syscalls can take flags, it's useful to be able to limit the flags they can take. - {syscall => 'openat', permute_rules => [['2', '==', \'open_modes']]}, + {syscall => 'openat', permute_rules => [['2', '==', \'open_modes']]}, Inside A::ESA::Seccomp you can define a syscall like the above, to take a set of automatically generated rules from a permutation. In this cases it's called 'open_modes'.