diff options
author | Damien Miller <djm@mindrot.org> | 2017-03-14 18:26:29 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-03-14 18:26:29 +1100 |
commit | f86586b03fe6cd8f595289bde200a94bc2c191af (patch) | |
tree | d867cefd2eae09d83447fb197f8a3aed5e9be06c /sandbox-seccomp-filter.c | |
parent | 2429cf78dd2a9741ce27ba25ac41c535274a0af6 (diff) |
Make seccomp-bpf sandbox work on Linux/X32
Allow clock_gettime syscall with X32 bit masked off. Apparently
this is required for at least some kernel versions. bz#2142
Patch mostly by Colin Watson. ok dtucker@
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 14006b99a..3a1aedce7 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = { | |||
228 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | 228 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), |
229 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | 229 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), |
230 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | 230 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), |
231 | #endif /* defined(__NR_ioctl) && defined(__s390__) */ | 231 | #endif |
232 | #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) | ||
233 | /* | ||
234 | * On Linux x32, the clock_gettime VDSO falls back to the | ||
235 | * x86-64 syscall under some circumstances, e.g. | ||
236 | * https://bugs.debian.org/849923 | ||
237 | */ | ||
238 | SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); | ||
239 | #endif | ||
232 | 240 | ||
233 | /* Default deny */ | 241 | /* Default deny */ |
234 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), | 242 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |