From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 34BE1158086 for ; Thu, 21 Oct 2021 22:30:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4B48DE088A; Thu, 21 Oct 2021 22:30:51 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E0B91E088A for ; Thu, 21 Oct 2021 22:30:50 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 928733433CE for ; Thu, 21 Oct 2021 22:30:49 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 25A2B162 for ; Thu, 21 Oct 2021 22:30:48 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1634833015.44ca5fb71633b9199971299268e34baa36de3d93.vapier@gentoo> Subject: [gentoo-commits] proj/sandbox:master commit in: /, libsandbox/ X-VCS-Repository: proj/sandbox X-VCS-Files: README.md libsandbox/trace.c X-VCS-Directories: libsandbox/ / X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: 44ca5fb71633b9199971299268e34baa36de3d93 X-VCS-Branch: master Date: Thu, 21 Oct 2021 22:30:48 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: ac8d6c63-0e24-46b8-aced-19a06c7e7183 X-Archives-Hash: b0e291345a24540c76ae1e7602100fd8 commit: 44ca5fb71633b9199971299268e34baa36de3d93 Author: Mike Frysinger gentoo org> AuthorDate: Thu Oct 21 16:16:55 2021 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Thu Oct 21 16:16:55 2021 +0000 URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=44ca5fb7 libsandbox: enable exitkill containment If the ptrace code crashes/aborts for any reason, don't let the tracee leak out. No one will be expecting this, and it could lead to zombie processes hanging around. This option is new to Linux 3.8. We could code this so that it would fallback automatically to older versions of Linux, but with 3.8 being released in 2013, doesn't seem like we need to support anyone that old. Signed-off-by: Mike Frysinger gentoo.org> README.md | 2 +- libsandbox/trace.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf15128..087ff31 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,6 @@ It requires: * s390 (32-bit & 64-bit) * x86 (32-bit & 64-bit & x32) * Operating system - * [Linux](https://kernel.org/) 2.6.20+ + * [Linux](https://kernel.org/) 3.8+ * C library * They all should work! diff --git a/libsandbox/trace.c b/libsandbox/trace.c index 8394b71..4d145a3 100644 --- a/libsandbox/trace.c +++ b/libsandbox/trace.c @@ -507,7 +507,12 @@ void trace_main(const char *filename, char *const argv[]) sb_debug("parent waiting for child (pid=%i) to signal", trace_pid); waitpid(trace_pid, NULL, 0); do_ptrace(PTRACE_SETOPTIONS, NULL, - (void *)(PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEEXEC | PTRACE_O_TRACEEXIT)); + (void *)(uintptr_t)( + PTRACE_O_EXITKILL | + PTRACE_O_TRACEEXEC | + PTRACE_O_TRACEEXIT | + PTRACE_O_TRACESYSGOOD + )); sb_close_all_fds(); trace_loop(); sb_ebort("ISE: child should have quit, as should we\n");