mirror of
https://github.com/flatpak/flatpak.git
synced 2026-07-01 19:57:01 -04:00
run: Block setns()
If we don't allow unshare() or clone() with CLONE_NEWUSER, we also shouldn't allow joining an existing (but different) namespace. Partially fixes GHSA-67h7-w3jq-vh4q. Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
committed by
Alexander Larsson
parent
a245e402ce
commit
aacfed4b0b
@@ -2823,6 +2823,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
|
||||
/* Don't allow subnamespace setups: */
|
||||
{SCMP_SYS (unshare), EPERM},
|
||||
{SCMP_SYS (setns), EPERM},
|
||||
{SCMP_SYS (mount), EPERM},
|
||||
{SCMP_SYS (pivot_root), EPERM},
|
||||
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||||
|
||||
Reference in New Issue
Block a user