commit: 44ca5fb71633b9199971299268e34baa36de3d93 Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Thu Oct 21 16:16:55 2021 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Thu Oct 21 16:16:55 2021 +0000 URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=44ca5fb7
libsandbox: enable exitkill containment If the ptrace code crashes/aborts for any reason, don't let the tracee leak out. No one will be expecting this, and it could lead to zombie processes hanging around. This option is new to Linux 3.8. We could code this so that it would fallback automatically to older versions of Linux, but with 3.8 being released in 2013, doesn't seem like we need to support anyone that old. Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> README.md | 2 +- libsandbox/trace.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf15128..087ff31 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,6 @@ It requires: * s390 (32-bit & 64-bit) * x86 (32-bit & 64-bit & x32) * Operating system - * [Linux](https://kernel.org/) 2.6.20+ + * [Linux](https://kernel.org/) 3.8+ * C library * They all should work! diff --git a/libsandbox/trace.c b/libsandbox/trace.c index 8394b71..4d145a3 100644 --- a/libsandbox/trace.c +++ b/libsandbox/trace.c @@ -507,7 +507,12 @@ void trace_main(const char *filename, char *const argv[]) sb_debug("parent waiting for child (pid=%i) to signal", trace_pid); waitpid(trace_pid, NULL, 0); do_ptrace(PTRACE_SETOPTIONS, NULL, - (void *)(PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEEXEC | PTRACE_O_TRACEEXIT)); + (void *)(uintptr_t)( + PTRACE_O_EXITKILL | + PTRACE_O_TRACEEXEC | + PTRACE_O_TRACEEXIT | + PTRACE_O_TRACESYSGOOD + )); sb_close_all_fds(); trace_loop(); sb_ebort("ISE: child should have quit, as should we\n");
