diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 19:39:01 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 19:39:01 +0000 |
| commit | 0feb9db220a276a2f8f29621dc8f04072bbfdd22 (patch) | |
| tree | 926d3ec04fbe095eb6465e66c25c10c46aebd62c /lib/sandbox.c | |
| parent | Releasing progress-linux version 2.12.0-4~progress7.99u1. (diff) | |
| download | man-db-0feb9db220a276a2f8f29621dc8f04072bbfdd22.tar.xz man-db-0feb9db220a276a2f8f29621dc8f04072bbfdd22.zip | |
Merging upstream version 2.12.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'lib/sandbox.c')
| -rw-r--r-- | lib/sandbox.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index ca218f5..eaf8d1b 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -279,7 +279,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) * Since I currently know of no library with suitable syscall lists, * the syscall lists here are taken from * systemd:src/shared/seccomp-util.c, last updated from commit - * ab9617a76624c43a26de7e94424088ae171ebfef (2023-08-07). + * 85b774de49caff8be819f021740dd680ba76ab77 (2024-03-03). */ /* systemd: SystemCallFilter=@default */ @@ -383,6 +383,8 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SCMP_A1 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); SC_ALLOW_ARG_1 ("fchmodat", SCMP_A2 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); + SC_ALLOW_ARG_1 ("fchmodat2", + SCMP_A2 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); } SC_ALLOW ("fcntl"); SC_ALLOW ("fcntl64"); @@ -587,6 +589,11 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("msgsnd"); } +#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2 + if (seccomp_attr_set (ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2) < 0) + debug ("failed to set SCMP_FLTATR_CTL_OPTIMIZE\n"); +#endif /* libseccomp >= 2.5 */ + return ctx; } |