diff options
Diffstat (limited to 'lib/sandbox.c')
| -rw-r--r-- | lib/sandbox.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index ca218f5..eaf8d1b 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -279,7 +279,7 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) * Since I currently know of no library with suitable syscall lists, * the syscall lists here are taken from * systemd:src/shared/seccomp-util.c, last updated from commit - * ab9617a76624c43a26de7e94424088ae171ebfef (2023-08-07). + * 85b774de49caff8be819f021740dd680ba76ab77 (2024-03-03). */ /* systemd: SystemCallFilter=@default */ @@ -383,6 +383,8 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SCMP_A1 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); SC_ALLOW_ARG_1 ("fchmodat", SCMP_A2 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); + SC_ALLOW_ARG_1 ("fchmodat2", + SCMP_A2 (SCMP_CMP_MASKED_EQ, mode_mask, 0)); } SC_ALLOW ("fcntl"); SC_ALLOW ("fcntl64"); @@ -587,6 +589,11 @@ static scmp_filter_ctx make_seccomp_filter (bool permissive) SC_ALLOW ("msgsnd"); } +#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2 + if (seccomp_attr_set (ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2) < 0) + debug ("failed to set SCMP_FLTATR_CTL_OPTIMIZE\n"); +#endif /* libseccomp >= 2.5 */ + return ctx; } |