feat(framework): Disable process dumping for SuperExec on Linux#7003
feat(framework): Disable process dumping for SuperExec on Linux#7003danieljanes merged 2 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a Linux-specific hardening step for SuperExec to prevent attaching debuggers/dumpers (e.g., via ptrace), aligning SuperExec behavior with the stated security goal.
Changes:
- Introduce
disable_process_dumping(strict: bool)inflwr.supercore.utilsusingprctl(PR_SET_DUMPABLE, 0)on Linux. - Call
disable_process_dumping(strict=False)at the start of theflower-superexecCLI entrypoint.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| framework/py/flwr/supercore/utils.py | Adds a Linux-only utility to disable process dumping/ptrace via prctl. |
| framework/py/flwr/supercore/cli/flower_superexec.py | Invokes the new utility at SuperExec startup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bf1d27b1c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
github-actions
Bot
added
the
Maintainer
Verified by running
strace -p <pid>on WSL. The command can be attached toflower-superlinkbut notflower-superexec.