diff options
author | Damien Miller <djm@mindrot.org> | 2016-05-20 09:56:53 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-05-20 09:56:53 +1000 |
commit | f64062b1f74ad5ee20a8a49aab2732efd0f7ce30 (patch) | |
tree | 1b842e4810e86495a65474a9a54070e50ae92952 /sandbox-seccomp-filter.c | |
parent | 531c135409b8d8810795b1f3692a4ebfd5c9cae0 (diff) |
Deny lstat syscalls in seccomp sandbox
Avoids sandbox violations for some krb/gssapi libraries.
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index d132e2646..2e1ed2c52 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = { | |||
103 | offsetof(struct seccomp_data, nr)), | 103 | offsetof(struct seccomp_data, nr)), |
104 | 104 | ||
105 | /* Syscalls to non-fatally deny */ | 105 | /* Syscalls to non-fatally deny */ |
106 | #ifdef __NR_lstat | ||
107 | SC_DENY(lstat, EACCES), | ||
108 | #endif | ||
109 | #ifdef __NR_lstat64 | ||
110 | SC_DENY(lstat64, EACCES), | ||
111 | #endif | ||
106 | #ifdef __NR_fstat | 112 | #ifdef __NR_fstat |
107 | SC_DENY(fstat, EACCES), | 113 | SC_DENY(fstat, EACCES), |
108 | #endif | 114 | #endif |