From de4f71318422e6bd66ea7836dbb235ecb463f7f8 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Wed, 20 Jan 2021 15:54:26 +0000
Subject: [PATCH] tighten the rules for fcntl

allow only the F_GETFL and F_SETFL commands
---
 sandbox.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/sandbox.c b/sandbox.c
index 6b98d99..195fa36 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -145,7 +145,6 @@ sandbox()
 		SC_ALLOW(poll),
 #endif
 		SC_ALLOW(accept),
-		SC_ALLOW(fcntl),
 		SC_ALLOW(read),
 		SC_ALLOW(openat),
 		SC_ALLOW(fstat),
@@ -164,6 +163,20 @@ sandbox()
 		SC_ALLOW(exit),
 		SC_ALLOW(exit_group),
 
+		/* allow only F_GETFL and F_SETFL fcntl */
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
+		BPF_STMT(BPF_LD  | BPF_W | BPF_ABS,
+		    (offsetof(struct seccomp_data, args[1])));
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
+		BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
+		BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
+
+		/* re-load the syscall number */
+		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
+		    (offsetof(struct seccomp_data, nr))),
+
 		/* allow ioctl but only on fd 1, glibc doing stuff? */
 		BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
 		BPF_STMT(BPF_LD | BPF_W | BPF_ABS,