isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In ptrace(2) intercept mode, add execveat to the seccomp(2) filter.

Browse Source 
This allows us to avoid logging the initial command twice regardless
of whether the kernel supports execveat(2) or not.
This commit is contained in:
Todd C. Miller
2022-04-29 13:09:03 -06:00
parent 052d3d1d91
commit 4010d06ed0
2 changed files with 43 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/exec_intercept.c
View File

@@ -76,13 +76,9 @@ intercept_setup(int fd, struct sudo_event_base *evbase,
* We can perform a policy check immediately using ptrace(2)
* but should ignore the execve(2) of the initial command
* (and sesh for SELinux RBAC).
*
* If using fexecve(2) and the system doesn't support execveat(2),
* we may end up checking the initial command anyway.
*/
closure->state = RECV_POLICY_CHECK;
if (!ISSET(details->flags, CD_FEXECVE))
closure->initial_command++;
closure->initial_command = 1;
if (ISSET(details->flags, CD_RBAC_ENABLED))
closure->initial_command++;
} else {