diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-08-13 22:58:37 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-08-20 10:38:35 -0400 |
commit | a743806ea4868371cf182f783fdcfbf1b1f98202 (patch) | |
tree | dcc780ac28414218d37628b599881d2683bd4cf7 /security.h | |
parent | lddtree.sh: fix interp handling when doing a full listing (diff) | |
download | pax-utils-a743806ea4868371cf182f783fdcfbf1b1f98202.tar.gz pax-utils-a743806ea4868371cf182f783fdcfbf1b1f98202.tar.bz2 pax-utils-a743806ea4868371cf182f783fdcfbf1b1f98202.zip |
security: leverage namespaces to restrict the runtime a bit
In practice this isn't terribly useful as people aren't attacking these
tools, but might as well be paranoid.
It'd be nice to use mount & net namespaces too, but they're way too slow.
Diffstat (limited to 'security.h')
-rw-r--r-- | security.h | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/security.h b/security.h new file mode 100644 index 0000000..c93ec3e --- /dev/null +++ b/security.h @@ -0,0 +1,29 @@ +/* Various security related features. + * + * Copyright 2015 Gentoo Foundation + * Distributed under the terms of the GNU General Public License v2 + * + * Copyright 2015 Mike Frysinger - <vapier@gentoo.org> + */ + +#ifndef _PAX_SECURITY_H +#define _PAX_SECURITY_H + +/* Whether to enable features that significantly impact speed. */ +#ifdef SLOW_SECURITY +# define USE_SLOW_SECURITY 1 +#else +# define USE_SLOW_SECURITY 0 +#endif + +#ifdef __linux__ +/* Lock down the runtime; allow_forking controls whether to use a pidns. */ +void security_init(bool allow_forking); +/* Disable forking; usable only when allow_forking above was true. */ +void security_init_pid(void); +#else +static inline void security_init(bool allow_forking) {} +static inline void security_init_pid(void) {} +#endif + +#endif |