[PATCH] prevent SIGCONT from waking up a PTRACED process (CVE-2007-4774)

[PATCH] prevent SIGCONT from waking up a PTRACED process (CVE-2007-4774)

Tavis Ormandy discovered that it was possible to bypass systrace policies
by flooding the ptraced process with SIGCONT signals. The same is possible
with SIGKILL, but obviously the attacker has to finely adjust its target
as it can only shoot once.

This issue was assigned identifier CVE-2007-4774.

The following patch fixes the SIGCONT case and adds some documentation for
authors of monitoring programs such as systrace.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Tavis Ormandy <taviso@sdf.lonestar.org>