diff options
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index c0c17c2fc..b6f6258f2 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -25,6 +25,8 @@ | |||
25 | */ | 25 | */ |
26 | /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ | 26 | /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ |
27 | 27 | ||
28 | /* XXX it should be possible to do logging via the log socket safely */ | ||
29 | |||
28 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG | 30 | #ifdef SANDBOX_SECCOMP_FILTER_DEBUG |
29 | /* Use the kernel headers in case of an older toolchain. */ | 31 | /* Use the kernel headers in case of an older toolchain. */ |
30 | # include <asm/siginfo.h> | 32 | # include <asm/siginfo.h> |
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { | |||
89 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | 91 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, |
90 | offsetof(struct seccomp_data, nr)), | 92 | offsetof(struct seccomp_data, nr)), |
91 | SC_DENY(open, EACCES), | 93 | SC_DENY(open, EACCES), |
94 | SC_DENY(stat, EACCES), | ||
92 | SC_ALLOW(getpid), | 95 | SC_ALLOW(getpid), |
93 | SC_ALLOW(gettimeofday), | 96 | SC_ALLOW(gettimeofday), |
94 | SC_ALLOW(clock_gettime), | 97 | SC_ALLOW(clock_gettime), |
@@ -115,6 +118,10 @@ static const struct sock_filter preauth_insns[] = { | |||
115 | #ifdef __NR_mmap | 118 | #ifdef __NR_mmap |
116 | SC_ALLOW(mmap), | 119 | SC_ALLOW(mmap), |
117 | #endif | 120 | #endif |
121 | #ifdef __dietlibc__ | ||
122 | SC_ALLOW(mremap), | ||
123 | SC_ALLOW(exit), | ||
124 | #endif | ||
118 | SC_ALLOW(munmap), | 125 | SC_ALLOW(munmap), |
119 | SC_ALLOW(exit_group), | 126 | SC_ALLOW(exit_group), |
120 | #ifdef __NR_rt_sigprocmask | 127 | #ifdef __NR_rt_sigprocmask |