blob: 0da1b2c5b2b74f803c0e777e6ca37bf67ce11147 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 7315a9475d8fa37af49e9e7ed11e1534f23ef70b Mon Sep 17 00:00:00 2001
From: "S. Gilles" <sgilles@umd.edu>
Date: Wed, 12 Aug 2020 16:40:07 -0400
Subject: Allow clock_gettime64; return ENOSYS so libcs can engage fallbacks
libcs such as musl expect ENOSYS to be returned (not EPERM) in their
fallback code, so change the seccomp filter to be more agreeable to
them.
At the same time, clock_gettime is permitted in the filter, so permit
clock_gettime64 as well -- it will be needed by 2038 in any case.
* lib/sandbox.c (make_seccomp_filter): Set default action to
SCMP_ACT_ERRNO (ENOSYS). Allow clock_gettime64.
* NEWS: Document this.
---
NEWS | 9 +++++++++
lib/sandbox.c | 3 ++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/lib/sandbox.c b/lib/sandbox.c
index 21ec28aa..d934a0f9 100644
--- a/lib/sandbox.c
+++ b/lib/sandbox.c
@@ -232,7 +232,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
;
debug ("initialising seccomp filter (permissive: %d)\n", permissive);
- ctx = seccomp_init (SCMP_ACT_ERRNO (EPERM));
+ ctx = seccomp_init (SCMP_ACT_ERRNO (ENOSYS));
if (!ctx)
error (FATAL, errno, "can't initialise seccomp filter");
@@ -271,6 +271,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
/* systemd: SystemCallFilter=@default */
SC_ALLOW ("clock_getres");
SC_ALLOW ("clock_gettime");
+ SC_ALLOW ("clock_gettime64");
SC_ALLOW ("clock_nanosleep");
SC_ALLOW ("execve");
SC_ALLOW ("exit");
--
cgit v1.2.1
|
