summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
AgeCommit message (Collapse)Author
2016-05-20Deny lstat syscalls in seccomp sandboxDamien Miller
Avoids sandbox violations for some krb/gssapi libraries.
2015-09-10allow getrandom syscall; from Felix von LeitnerDamien Miller
2015-06-30upstream commitdjm@openbsd.org
add getpid to sandbox, reachable by grace_alarm_handler reported by Jakub Jelen; bz#2419 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-25add missing pselect6Damien Miller
patch from Jakub Jelen
2015-06-17trivial optimisation for seccomp-bpfDamien Miller
When doing arg inspection and the syscall doesn't match, skip past the instruction that reloads the syscall into the accumulator, since the accumulator hasn't been modified at this point.
2015-06-17aarch64 support for seccomp-bpf sandboxDamien Miller
Also resort and tidy syscall list. Based on patches by Jakub Jelen bz#2361; ok dtucker@
2014-09-10 - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;Damien Miller
patch from Felix von Leitner; ok dtucker
2014-03-17 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX toDamien Miller
remind myself to add sandbox violation logging via the log socket.
2014-02-06 - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures defineDamien Miller
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-01-31 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)Damien Miller
syscall from sandboxes; it may be called by packet_close.
2014-01-17 - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2013-06-02 - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.Darren Tucker
2013-02-22 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for LinuxDamien Miller
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; ok dtucker
2012-07-06 - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter isDamien Miller
not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-04-04 - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandboxDamien Miller
mode for Linux's new seccomp filter; patch from Will Drewry; feedback and ok dtucker@