run: Block setns()

If we don't allow unshare() or clone() with CLONE_NEWUSER, we also
shouldn't allow joining an existing (but different) namespace.

Partially fixes GHSA-67h7-w3jq-vh4q.

Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
Simon McVittie
2021-09-01 14:19:31 +01:00
committed by Alexander Larsson
parent a245e402ce
commit aacfed4b0b

View File

@@ -2823,6 +2823,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow subnamespace setups: */
{SCMP_SYS (unshare), EPERM},
{SCMP_SYS (setns), EPERM},
{SCMP_SYS (mount), EPERM},
{SCMP_SYS (pivot_root), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)