1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
https://github.com/lldpd/lldpd/commit/0ea4b1a5e0e9c35d960145d25166e92a9990227f
https://github.com/lldpd/lldpd/commit/1def824404cfcab9f64b687da1cb7a4b4b51bbe0
From: Antonio Quartulli <a@unstable.cc>
Date: Sun, 9 Jan 2022 15:24:55 +0100
Subject: [PATCH] linux: add access syscall to seccomp rules
Signed-off-by: Antonio Quartulli <a@unstable.cc>
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -178,6 +178,7 @@ priv_seccomp_init(int remote, int child)
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
/* The following are for resolving addresses */
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
From: David Sastre Medina <d.sastre.medina@gmail.com>
Date: Tue, 11 Jan 2022 14:55:05 +0100
Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when
running in the foreground
Running lldpd in the foreground as follows:
strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \
-S lldpd-system-name -m 192.168.50.6
Requires additional syscalls to be filtered (non relevant syscalls removed):
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
0.47 0.000026 6 4 ppoll
0.33 0.000018 3 5 rt_sigprocmask
0.27 0.000015 3 4 getsockopt
------ ----------- ----------- --------- --------- ----------------
100.00 0.005520 8 637 22 total
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child)
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 ||
/* The following are for resolving addresses */
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
(rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
|
