- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to

remind myself to add sandbox violation logging via the log socket.
author: Damien Miller <djm@mindrot.org> 2014-03-17 14:45:56 +1100
committer: Damien Miller <djm@mindrot.org> 2014-03-17 14:45:56 +1100
commit: 48abc47e60048461fe9117e108a7e99ea1ac2bb8 (patch)
tree: 83ea12268ed3c5999697b7d9e75bfed93e71c0d8
parent: 9c36698ca2f554ec221dc7ef29c7a89e97c88705 (diff)
2 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 500087088..4e6b8b2d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20140317
+ - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
+   remind myself to add sandbox violation logging via the log socket.
 20140314
 - (tim) [opensshd.init.in] Add support for ed25519
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index c0c17c2fc..c2be00696 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -25,6 +25,8 @@
 */
 /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
+/* XXX it should be possible to do logging via the log socket safely */
 #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
 /* Use the kernel headers in case of an older toolchain. */
 # include <asm/siginfo.h>
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
                offsetof(struct seccomp_data, nr)),
        SC_DENY(open, EACCES),
+        SC_DENY(stat, EACCES),
        SC_ALLOW(getpid),
        SC_ALLOW(gettimeofday),
        SC_ALLOW(clock_gettime),
author	Damien Miller <djm@mindrot.org>	2014-03-17 14:45:56 +1100
committer	Damien Miller <djm@mindrot.org>	2014-03-17 14:45:56 +1100
commit	48abc47e60048461fe9117e108a7e99ea1ac2bb8 (patch)
tree	83ea12268ed3c5999697b7d9e75bfed93e71c0d8
parent	9c36698ca2f554ec221dc7ef29c7a89e97c88705 (diff)