App-EvalServerAdvanced
2 results

 view release on metacpan or  search on metacpan

lib/App/EvalServerAdvanced/Seccomp.pm  view on Meta::CPAN 

=head1 SECURITY

This is an excercise in defense in depths.  The default rulesets
provide a bit of protection against accidentally running knowingly dangerous syscalls.

This does not provide absolute security.  It relies on the fact that the syscalls allowed
are likely to be safe, or commonly required for normal programs to function properly.

In particular there are two syscalls that are allowed that are involved in the Dirty COW
kernel exploit.  C<madvise> and C<mmap>, with these two you can actually trigger the Dirty COW
exploit.  But because the default rules restrict you from creating threads, you can't create the race
condition needed to actually accomplish it.  So you should still take some
other measures to protect yourself.

=head1 KNOWN ISSUES

=over

=item Compilation errors when loading plugins from the plugin base directory will result in it attempting to load the fully qualified module name.  This will be fixed in future versions to be a fatal error

=back

skel-sandbox/etc/seccomp.yaml  view on Meta::CPAN 

      - syscall: gettid
      - syscall: getgid
      - syscall: getegid
      - syscall: getgroups
# System related
      - syscall: uname
# Non-opening file related calls
      - syscall: access
      - syscall: poll
      - syscall: readlink
# Safe threading related calls
      - syscall: arch_prctl
      - syscall: set_tid_address
      - syscall: set_robust_list
      - syscall: futex
# Limit/Capabilities related
      - syscall: getrlimit
      - syscall: prctl

  time_calls:
    rules:

skel-sandbox/etc/seccomp.yaml  view on Meta::CPAN 

  lang_ruby:
    include:
      - default
    rules:
      - syscall: clone
        tests:
          - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
      - syscall: sigaltstack
      - syscall: pipe2
      - syscall: write
        tests: # Used for inter thread communication.  FDs might change number depending on release
          - [0, '==', 5]
      - syscall: write
        tests: # Used for inter thread communication.  FDs might change number depending on release
          - [0, '==', 7]

  stdio:
    rules:
      - syscall: read # Read from STDIN
        tests:
          - [0, '==', 0]
      - syscall: write # Write to STDOUT
        tests:
          - [0, '==', 1]



( run in 3.455 seconds using v1.01-cache-2.11-cpan-3cd7ad12f66 )