[PATCH v1] shebang: restrict python interactive prompt/interpreter
penguin-kernel at I-love.SAKURA.ne.jp
Fri Jun 9 23:04:32 UTC 2017
Matt Brown wrote:
> what does everyone thing about a envp_blacklist option that is a list of
> environmental variables that will be stripped from exec calls. This can
> be done in the LSM hook bprm_check_security.
Stripping argv can be done by remove_arg_zero(). But stripping specific
environmental variables is a bit complicated than what you would think. You
can see tomoyo_environ() for how to whitelist environmental variable names.
> Is there any reason on a hardened system why you would need the
> PYTHONINSPECT environmental variable?
TOMOYO and CaitSith try to check such factors (e.g. argv/envp as well as
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive