Add a rule to prevent various sandbox escapes

This used to be private, but since it apparently isn't anymore, we should forbid it ;)
author: jvoisin 2018-02-26 10:40:09 +0100
committer: jvoisin 2018-02-26 10:40:09 +0100
commit: b0fb67199808af09d78abc2ebfcdc10b8c45677c (patch)
tree: b536f22b6ecb151de60f1238feb94df5ae6d231a /config/default.rules
parent: 9e50afb09fa4efb012c0bd6e97ad7ac1b2a80f13 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
index b52ae4c..8ac4498 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -4,6 +4,9 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+# Since it's now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("setting").value_r("LD_PRELOAD").drop()
 ##Prevent various `include`-related vulnerabilities
 sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
 sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
author	jvoisin	2018-02-26 10:40:09 +0100
committer	jvoisin	2018-02-26 10:40:09 +0100
commit	b0fb67199808af09d78abc2ebfcdc10b8c45677c (patch)
tree	b536f22b6ecb151de60f1238feb94df5ae6d231a /config/default.rules
parent	9e50afb09fa4efb012c0bd6e97ad7ac1b2a80f13 (diff)

diff --git a/config/default.rules b/config/default.rules index b52ae4c..8ac4498 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -4,6 +4,9 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr
4	# Prevent various `mail`-related vulnerabilities	4	# Prevent various `mail`-related vulnerabilities
5	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();	5	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
6		6
		7	# Since it's now burned, me might as well mitigate it publicly
		8	sp.disable_function.function("putenv").param("setting").value_r("LD_PRELOAD").drop()
		9
7	##Prevent various `include`-related vulnerabilities	10	##Prevent various `include`-related vulnerabilities
8	sp.disable_function.function_r("^(?:require\|include)_once$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();	11	sp.disable_function.function_r("^(?:require\|include)_once$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();
9	sp.disable_function.function_r("^require\|include$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();	12	sp.disable_function.function_r("^require\|include$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();