Don't allow access to the kernel keyring

For now, we don't use the kernel keyring for anything, so it is better to shut off the access to it.
2026-02-06 22:11:32 -05:00 · 2016-09-18 16:50:32 -04:00
parent 4b3636a452
commit 2bfb1b435a
1 changed files with 5 additions and 0 deletions
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -3026,6 +3026,11 @@ setup_seccomp (GPtrArray  *argv_array,
    /* Don't allow reading current quota use */
    {SCMP_SYS (quotactl)},

+    /* Don't allow access to the kernel keyring */
+    {SCMP_SYS (add_key)},
+    {SCMP_SYS (keyctl)},
+    {SCMP_SYS (request_key)},
+
    /* Scary VM/NUMA ops */
    {SCMP_SYS (move_pages)},
    {SCMP_SYS (mbind)},