From 94c5f99ab038efafa5f5a841d8092a995d9ee03c Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Sun, 13 Feb 2022 15:32:10 +0000
Subject: [PATCH] sort syscalls in seccomp filter

---
 sandbox.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/sandbox.c b/sandbox.c
index 2b5e9e0..8881cbb 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -308,6 +308,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_fstat64
 	SC_ALLOW(fstat64),
 #endif
+#ifdef __NR_fstatat64
+	SC_ALLOW(fstatat64),
+#endif
 #ifdef __NR_getdents64
 	SC_ALLOW(getdents64),
 #endif
@@ -326,6 +329,9 @@ static struct sock_filter filter[] = {
 	/* allow FIONREAD needed by libevent */
 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
 #endif
+#ifdef __NR__llseek
+	SC_ALLOW(_llseek),
+#endif
 #ifdef __NR_lseek
 	SC_ALLOW(lseek),
 #endif
@@ -344,9 +350,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_newfstatat
 	SC_ALLOW(newfstatat),
 #endif
-#ifdef __NR_fstatat64
-	SC_ALLOW(fstatat64),
-#endif
 #ifdef __NR_oldfstat
 	SC_ALLOW(oldfstat),
 #endif
@@ -374,6 +377,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_sendmsg
 	SC_ALLOW(sendmsg),
 #endif
+#ifdef __NR_sigreturn
+	SC_ALLOW(sigreturn),
+#endif
 #ifdef __NR_statx
 	SC_ALLOW(statx),
 #endif
@@ -386,12 +392,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_writev
 	SC_ALLOW(writev),
 #endif
-#ifdef __NR__llseek
-	SC_ALLOW(_llseek),
-#endif
-#ifdef __NR_sigreturn
-	SC_ALLOW(sigreturn),
-#endif
 
 	/* disallow everything else */
 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),