mirror of https://github.com/omar-polo/gmid.git
[seccomp] allow fcntl F_SETFD
musl does a F_SETFD in its fdopendir
This commit is contained in:
Omar Polo
parent
252908e6bb
commit
f88311e534
|
|
@ -179,17 +179,22 @@ sandbox()
|
|||
/* alpine on amd64 does a clock_gettime(2) */
|
||||
SC_ALLOW(clock_gettime),
|
||||
|
||||
/* for directory listing */
|
||||
SC_ALLOW(getdents64),
|
||||
|
||||
SC_ALLOW(exit),
|
||||
SC_ALLOW(exit_group),
|
||||
|
||||
/* allow only F_GETFL and F_SETFL fcntl */
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8),
|
||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||
(offsetof(struct seccomp_data, args[1]))),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFD, 0, 1),
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
||||
|
||||
/* re-load the syscall number */
|
||||
|
|
|
|||
Loading…
Reference in New Issue