diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-01-03 14:01:56 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:02:55 +0000 |
| commit | 8c1a0893f0e55a793071af9734d2fa2eb1f3a2a6 (patch) | |
| tree | 1e071ee64db752562cd2f43e3c94eb793e9d55ab | |
| parent | 6ca09916439a58f0789deb79960ee5defc05a946 (diff) | |
Work around clock_gettime kernel bug on Linux x32
On Linux x32, the clock_gettime VDSO currently falls back to the x86-64
syscall, so allow that as well as its x32 sibling.
Bug-Debian: https://bugs.debian.org/849923
Forwarded: no
Last-Update: 2017-01-03
Patch-Name: sandbox-x32-workaround.patch
| -rw-r--r-- | sandbox-seccomp-filter.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2e1ed2c52..62c578d3c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = { | |||
| 137 | #endif | 137 | #endif |
| 138 | #ifdef __NR_clock_gettime | 138 | #ifdef __NR_clock_gettime |
| 139 | SC_ALLOW(clock_gettime), | 139 | SC_ALLOW(clock_gettime), |
| 140 | # if defined(__x86_64__) && defined(__ILP32__) | ||
| 141 | /* On Linux x32, the clock_gettime VDSO currently falls back to the | ||
| 142 | * x86-64 syscall (see https://bugs.debian.org/849923), so allow | ||
| 143 | * that too. | ||
| 144 | */ | ||
| 145 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, | ||
| 146 | __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1), | ||
| 147 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | ||
| 148 | # endif | ||
| 140 | #endif | 149 | #endif |
| 141 | #ifdef __NR_close | 150 | #ifdef __NR_close |
| 142 | SC_ALLOW(close), | 151 | SC_ALLOW(close), |