pezkuwichain/pezkuwi-subxt
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pezkuwi-subxt.git synced 2026-06-20 21:01:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

PVF worker: Add seccomp restrictions (restrict networking) (#2009)

Browse Source
This commit is contained in:
Marcin S
2023-10-31 11:08:08 +01:00
committed by GitHub
parent 2d9426f1cc
commit 9faea380dc
27 changed files with 1376 additions and 714 deletions
Download Patch File Download Diff File Expand all files Collapse all files
polkadot/roadmap/implementers-guide/src/node/utility/pvf-host-and-workers.md
+13
View File
@@ -126,6 +126,19 @@ with untrusted code does not have unnecessary access to the file-system. This
provides some protection against attackers accessing sensitive data or modifying
data on the host machine.
*Currently this is only supported on Linux.*
<!-- TODO: Uncomment when this has been enabled. -->
<!-- ### Restricting networking -->
<!-- We also disable networking on PVF threads by disabling certain syscalls, such as -->
<!-- the creation of sockets. This prevents attackers from either downloading -->
<!-- payloads or communicating sensitive data from the validator's machine to the -->
<!-- outside world. -->
<!-- *Currently this is only supported on Linux.* -->
### Clearing env vars
We clear environment variables before handling untrusted code, because why give