sort syscalls in seccomp filter

2022-02-13 15:32:10 +00:00 · 2022-02-13 15:32:10 +00:00 · 94c5f99ab0
parent 67347fb021
commit 94c5f99ab0
1 changed files with 9 additions and 9 deletions
--- a/sandbox.c
+++ b/sandbox.c
@ -308,6 +308,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_fstat64
 	SC_ALLOW(fstat64),
 #endif
+#ifdef __NR_fstatat64
+	SC_ALLOW(fstatat64),
+#endif
 #ifdef __NR_getdents64
 	SC_ALLOW(getdents64),
 #endif
@ -326,6 +329,9 @@ static struct sock_filter filter[] = {
 	/* allow FIONREAD needed by libevent */
 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
 #endif
+#ifdef __NR__llseek
+	SC_ALLOW(_llseek),
+#endif
 #ifdef __NR_lseek
 	SC_ALLOW(lseek),
 #endif
@ -344,9 +350,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_newfstatat
 	SC_ALLOW(newfstatat),
 #endif
-#ifdef __NR_fstatat64
-	SC_ALLOW(fstatat64),
-#endif
 #ifdef __NR_oldfstat
 	SC_ALLOW(oldfstat),
 #endif
@ -374,6 +377,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_sendmsg
 	SC_ALLOW(sendmsg),
 #endif
+#ifdef __NR_sigreturn
+	SC_ALLOW(sigreturn),
+#endif
 #ifdef __NR_statx
 	SC_ALLOW(statx),
 #endif
@ -386,12 +392,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_writev
 	SC_ALLOW(writev),
 #endif
-#ifdef __NR__llseek
-	SC_ALLOW(_llseek),
-#endif
-#ifdef __NR_sigreturn
-	SC_ALLOW(sigreturn),
-#endif

 	/* disallow everything else */
 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),