1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From: Christos Zoulas <christos@zoulas.com>
Date: Sun, 6 May 2018 16:36:41 +0000
Subject: [PATCH] add more syscalls; newfstatat is used for stat'ing the magic
file, getdents64 is used for getting the magic entries during compilation.
---
src/seccomp.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/seccomp.c b/src/seccomp.c
index 7c8a31443b43..481a5624784c 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -27,7 +27,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: seccomp.c,v 1.2 2017/11/04 01:14:25 christos Exp $")
+FILE_RCSID("@(#)$File: seccomp.c,v 1.3 2018/05/06 16:36:41 christos Exp $")
#endif /* lint */
#if HAVE_LIBSECCOMP
@@ -59,12 +59,7 @@ enable_sandbox_basic(void)
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
return -1;
-#if 0
- // prevent escape via ptrace
- prctl(PR_SET_DUMPABLE, 0);
-#endif
-
- if (prctl (PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
return -1;
// initialize the filter
@@ -171,6 +166,9 @@ enable_sandbox_full(void)
ALLOW_RULE(fcntl);
ALLOW_RULE(fstat);
ALLOW_RULE(getdents);
+#ifdef __NR_getdents64
+ ALLOW_RULE(getdents64);
+#endif
ALLOW_RULE(ioctl);
ALLOW_RULE(lseek);
ALLOW_RULE(lstat);
@@ -178,6 +176,9 @@ enable_sandbox_full(void)
ALLOW_RULE(mprotect);
ALLOW_RULE(mremap);
ALLOW_RULE(munmap);
+#ifdef __NR_newfstatat
+ ALLOW_RULE(newfstatat);
+#endif
ALLOW_RULE(open);
ALLOW_RULE(openat);
ALLOW_RULE(pread64);
|
