summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2017-03-14 18:26:29 +1100
committerDamien Miller <djm@mindrot.org>2017-03-14 18:26:29 +1100
commitf86586b03fe6cd8f595289bde200a94bc2c191af (patch)
treed867cefd2eae09d83447fb197f8a3aed5e9be06c /sandbox-seccomp-filter.c
parent2429cf78dd2a9741ce27ba25ac41c535274a0af6 (diff)
Make seccomp-bpf sandbox work on Linux/X32
Allow clock_gettime syscall with X32 bit masked off. Apparently this is required for at least some kernel versions. bz#2142 Patch mostly by Colin Watson. ok dtucker@
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 14006b99a..3a1aedce7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = {
228 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), 228 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
229 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), 229 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
230 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), 230 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
231#endif /* defined(__NR_ioctl) && defined(__s390__) */ 231#endif
232#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
233 /*
234 * On Linux x32, the clock_gettime VDSO falls back to the
235 * x86-64 syscall under some circumstances, e.g.
236 * https://bugs.debian.org/849923
237 */
238 SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
239#endif
232 240
233 /* Default deny */ 241 /* Default deny */
234 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 242 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),