diff options
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index c0c17c2fc..c2be00696 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -25,6 +25,8 @@ | |||
25 | */ | 25 | */ |
26 | /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ | 26 | /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ |
27 | 27 | ||
28 | /* XXX it should be possible to do logging via the log socket safely */ | ||
29 | |||
28 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | 30 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG |
29 | /* Use the kernel headers in case of an older toolchain. */ | 31 | /* Use the kernel headers in case of an older toolchain. */ |
30 | # include <asm/siginfo.h> | 32 | # include <asm/siginfo.h> |
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { | |||
89 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | 91 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, |
90 | offsetof(struct seccomp_data, nr)), | 92 | offsetof(struct seccomp_data, nr)), |
91 | SC_DENY(open, EACCES), | 93 | SC_DENY(open, EACCES), |
94 | SC_DENY(stat, EACCES), | ||
92 | SC_ALLOW(getpid), | 95 | SC_ALLOW(getpid), |
93 | SC_ALLOW(gettimeofday), | 96 | SC_ALLOW(gettimeofday), |
94 | SC_ALLOW(clock_gettime), | 97 | SC_ALLOW(clock_gettime), |