1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From e346421ca6852fbf9f95cf0e764ecc345e5ce21d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 3 Jan 2017 14:01:56 +0000
Subject: Work around clock_gettime kernel bug on Linux x32
On Linux x32, the clock_gettime VDSO currently falls back to the x86-64
syscall, so allow that as well as its x32 sibling.
Bug-Debian: https://bugs.debian.org/849923
Forwarded: no
Last-Update: 2017-01-03
Patch-Name: sandbox-x32-workaround.patch
---
sandbox-seccomp-filter.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c5..62c578d3 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = {
#endif
#ifdef __NR_clock_gettime
SC_ALLOW(clock_gettime),
+# if defined(__x86_64__) && defined(__ILP32__)
+ /* On Linux x32, the clock_gettime VDSO currently falls back to the
+ * x86-64 syscall (see https://bugs.debian.org/849923), so allow
+ * that too.
+ */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
+ __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+# endif
#endif
#ifdef __NR_close
SC_ALLOW(close),
|
