summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2016-05-20 09:56:53 +1000
committerDamien Miller <djm@mindrot.org>2016-05-20 09:56:53 +1000
commitf64062b1f74ad5ee20a8a49aab2732efd0f7ce30 (patch)
tree1b842e4810e86495a65474a9a54070e50ae92952 /sandbox-seccomp-filter.c
parent531c135409b8d8810795b1f3692a4ebfd5c9cae0 (diff)
Deny lstat syscalls in seccomp sandbox
Avoids sandbox violations for some krb/gssapi libraries.
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index d132e2646..2e1ed2c52 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -103,6 +103,12 @@ static const struct sock_filter preauth_insns[] = {
103 offsetof(struct seccomp_data, nr)), 103 offsetof(struct seccomp_data, nr)),
104 104
105 /* Syscalls to non-fatally deny */ 105 /* Syscalls to non-fatally deny */
106#ifdef __NR_lstat
107 SC_DENY(lstat, EACCES),
108#endif
109#ifdef __NR_lstat64
110 SC_DENY(lstat64, EACCES),
111#endif
106#ifdef __NR_fstat 112#ifdef __NR_fstat
107 SC_DENY(fstat, EACCES), 113 SC_DENY(fstat, EACCES),
108#endif 114#endif