libsandbox: add SANDBOX_METHOD setting

This allows people to disable use of ptrace if their configuration does not support it. This forces older sandbox behavior where we cannot protect against static or set*id programs. Bug: https://bugs.gentoo.org/648516 Bug: https://bugs.gentoo.org/771360 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
author: Mike Frysinger <vapier@gentoo.org> 2021-10-18 02:47:59 -0400
committer: Mike Frysinger <vapier@gentoo.org> 2021-10-18 02:47:59 -0400
commit: c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2 (patch)
tree: 17cba0cfb546f72d1657d1380e30c5c88027d8b6 /etc
parent: libsbutil: add assert to testing code path (diff)
download: sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.gz
sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.bz2
sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index 2501e11..0d29a64 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -27,6 +27,17 @@
 #  Determine the use of color in the output.  Default is "false" (ie, use color)
 #NOCOLOR="false"
 
+# SANDBOX_METHOD
+#
+#  Control how processes are monitored.  See the README for system requirements
+#  for each setting, as well as particular limitations.  Changing this setting
+#  is not recommended.
+#
+#  Possible values:
+#  any: (default) Use any method of tracing available on the system.
+#  preload: Only use in-process LD_PRELOAD symbol interposing.
+#SANDBOX_METHOD="any"
+
 
 #
 # Namespace Section (Linux-only)
author	Mike Frysinger <vapier@gentoo.org>	2021-10-18 02:47:59 -0400
committer	Mike Frysinger <vapier@gentoo.org>	2021-10-18 02:47:59 -0400
commit	c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2 (patch)
tree	17cba0cfb546f72d1657d1380e30c5c88027d8b6 /etc
parent	libsbutil: add assert to testing code path (diff)
download	sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.gz sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.bz2 sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.zip