diff options
Diffstat (limited to 'sandbox-seccomp-filter.c')
| -rw-r--r-- | sandbox-seccomp-filter.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b5cda70bb..f80981faf 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = { | |||
| 177 | #ifdef __NR_shmdt | 177 | #ifdef __NR_shmdt |
| 178 | SC_DENY(__NR_shmdt, EACCES), | 178 | SC_DENY(__NR_shmdt, EACCES), |
| 179 | #endif | 179 | #endif |
| 180 | #ifdef __NR_ipc | ||
| 181 | SC_DENY(__NR_ipc, EACCES), | ||
| 182 | #endif | ||
| 180 | 183 | ||
| 181 | /* Syscalls to permit */ | 184 | /* Syscalls to permit */ |
| 182 | #ifdef __NR_brk | 185 | #ifdef __NR_brk |
| @@ -185,6 +188,9 @@ static const struct sock_filter preauth_insns[] = { | |||
| 185 | #ifdef __NR_clock_gettime | 188 | #ifdef __NR_clock_gettime |
| 186 | SC_ALLOW(__NR_clock_gettime), | 189 | SC_ALLOW(__NR_clock_gettime), |
| 187 | #endif | 190 | #endif |
| 191 | #ifdef __NR_clock_gettime64 | ||
| 192 | SC_ALLOW(__NR_clock_gettime64), | ||
| 193 | #endif | ||
| 188 | #ifdef __NR_close | 194 | #ifdef __NR_close |
| 189 | SC_ALLOW(__NR_close), | 195 | SC_ALLOW(__NR_close), |
| 190 | #endif | 196 | #endif |
| @@ -242,6 +248,15 @@ static const struct sock_filter preauth_insns[] = { | |||
| 242 | #ifdef __NR_nanosleep | 248 | #ifdef __NR_nanosleep |
| 243 | SC_ALLOW(__NR_nanosleep), | 249 | SC_ALLOW(__NR_nanosleep), |
| 244 | #endif | 250 | #endif |
| 251 | #ifdef __NR_clock_nanosleep | ||
| 252 | SC_ALLOW(__NR_clock_nanosleep), | ||
| 253 | #endif | ||
| 254 | #ifdef __NR_clock_nanosleep_time64 | ||
| 255 | SC_ALLOW(__NR_clock_nanosleep_time64), | ||
| 256 | #endif | ||
| 257 | #ifdef __NR_clock_gettime64 | ||
| 258 | SC_ALLOW(__NR_clock_gettime64), | ||
| 259 | #endif | ||
| 245 | #ifdef __NR__newselect | 260 | #ifdef __NR__newselect |
| 246 | SC_ALLOW(__NR__newselect), | 261 | SC_ALLOW(__NR__newselect), |
| 247 | #endif | 262 | #endif |