diff options
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 14006b99a..3a1aedce7 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = { | |||
228 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | 228 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), |
229 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | 229 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), |
230 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | 230 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), |
231 | #endif /* defined(__NR_ioctl) && defined(__s390__) */ | 231 | #endif |
232 | #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) | ||
233 | /* | ||
234 | * On Linux x32, the clock_gettime VDSO falls back to the | ||
235 | * x86-64 syscall under some circumstances, e.g. | ||
236 | * https://bugs.debian.org/849923 | ||
237 | */ | ||
238 | SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); | ||
239 | #endif | ||
232 | 240 | ||
233 | /* Default deny */ | 241 | /* Default deny */ |
234 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), | 242 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |