fix BPF

sandbox.c

@@ -24,6 +24,7 @@ sandbox()
 #include <linux/seccomp.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <seccomp.h>
@@ -162,18 +163,16 @@ sandbox()
 
 		SC_ALLOW(exit),
 		SC_ALLOW(exit_group),
-
+                /* allow only F_GETFL and F_SETFL fcntl */
-		/* allow only F_GETFL and F_SETFL fcntl */
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
 		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
-		    (offsetof(struct seccomp_data, args[1])));
+		    (offsetof(struct seccomp_data, args[1]))),
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
-		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
-		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
-		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
-		BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
+		BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
-
+                /* re-load the syscall number */
-		/* re-load the syscall number */
 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
 		    (offsetof(struct seccomp_data, nr))),