gvisor/pkg/sentry/platform
Adin Scannell 463e73d46d Add seccomp filter configuration to ptrace stubs.
This is a defense-in-depth measure. If the sentry is compromised, this prevents
system call injection to the stubs. There is some complexity with respect to
ptrace and seccomp interactions, so this protection is not really available
for kernel versions < 4.8; this is detected dynamically.

Note that this also solves the vsyscall emulation issue by adding in
appropriate trapping for those system calls. It does mean that a compromised
sentry could theoretically inject these into the stub (ignoring the trap and
resume, thereby allowing execution), but they are harmless.

PiperOrigin-RevId: 216647581
Change-Id: Id06c232cbac1f9489b1803ec97f83097fcba8eb8
2018-10-10 22:40:28 -07:00
..
filemem Provide better message when memfd_create fails with ENOSYS 2018-09-18 02:09:28 -07:00
interrupt stateify: support explicit annotation mode; convert refs and stack packages. 2018-07-27 10:17:21 -07:00
kvm platform/kvm: Get max vcpu number dynamically by ioctl 2018-09-13 21:47:11 -07:00
procid Bump to Go 1.11 2018-08-28 09:22:41 -07:00
ptrace Add seccomp filter configuration to ptrace stubs. 2018-10-10 22:40:28 -07:00
ring0 Add separate Recycle method for allocator. 2018-08-22 14:16:04 -07:00
safecopy stateify: support explicit annotation mode; convert refs and stack packages. 2018-07-27 10:17:21 -07:00
BUILD Automated rollback of changelist 207037226 2018-08-02 10:42:48 -07:00
context.go Check in gVisor. 2018-04-28 01:44:26 -04:00
mmap_min_addr.go Check in gVisor. 2018-04-28 01:44:26 -04:00
platform.go Avoid reuse of pending SignalInfo objects 2018-09-14 17:39:25 -07:00