search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.21k stars 716 forks source link

sysenv_linux.go: fix SeccompMode always using /proc/self/ instead of $pid #474

Closed disconnect3d closed 1 year ago

disconnect3d commented 1 year ago

This commit fixes a bug in SeccompMode where the pid argument was unused while it should have been passed further to the function that creates the /proc/$pid/status path (and when pid=0 was provided, it returned /proc/self/status).

I have not tested this change, so please do. I have only spotted this bug by randomly looking at the relevant code.

As far as I checked, the bug fixed here -- where SeccompMode always returned seccomp status for the self and not the target process -- does not seem to be exploitable/triggerable anywhere else in the code. The SeccompMode seems to only be used in the same file as SeccompMode(pid=0). However, fixing this bug will prevent future bugs if SeccompMode were used with another pid argument.

kcq commented 1 year ago

Thank you @disconnect3d ! Nice catch :)