Make seccomp-bpf sandbox work on Linux/X32

Allow clock_gettime syscall with X32 bit masked off. Apparently this is required for at least some kernel versions. bz#2142 Patch mostly by Colin Watson. ok dtucker@
author: Damien Miller <djm@mindrot.org> 2017-03-14 18:26:29 +1100
committer: Damien Miller <djm@mindrot.org> 2017-03-14 18:26:29 +1100
commit: f86586b03fe6cd8f595289bde200a94bc2c191af (patch)
tree: d867cefd2eae09d83447fb197f8a3aed5e9be06c /sandbox-seccomp-filter.c
parent: 2429cf78dd2a9741ce27ba25ac41c535274a0af6 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 14006b99a..3a1aedce7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = {
        SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
-#endif /* defined(__NR_ioctl) && defined(__s390__) */
+#endif
+#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+        /*
+         * On Linux x32, the clock_gettime VDSO falls back to the
+         * x86-64 syscall under some circumstances, e.g.
+         * https://bugs.debian.org/849923
+         */
+        SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
+#endif
        /* Default deny */
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
author	Damien Miller <djm@mindrot.org>	2017-03-14 18:26:29 +1100
committer	Damien Miller <djm@mindrot.org>	2017-03-14 18:26:29 +1100
commit	f86586b03fe6cd8f595289bde200a94bc2c191af (patch)
tree	d867cefd2eae09d83447fb197f8a3aed5e9be06c /sandbox-seccomp-filter.c
parent	2429cf78dd2a9741ce27ba25ac41c535274a0af6 (diff)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 14006b99a..3a1aedce7 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = {
228	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),	228	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
229	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),	229	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
230	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),	230	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
231	#endif /* defined(__NR_ioctl) && defined(__s390__) */	231	#endif
		232	#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
		233	/*
		234	* On Linux x32, the clock_gettime VDSO falls back to the
		235	* x86-64 syscall under some circumstances, e.g.
		236	* https://bugs.debian.org/849923
		237	*/
		238	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
		239	#endif
232		240
233	/* Default deny */	241	/* Default deny */
234	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),	242	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),