[chrony-dev] [PATCH] sys_linux: allow waitpid in seccomp filter

[Vincent Blut <vincent.debian@xxxxxxx>]

Hi,

I just observed that chronyd isn’t properly stopped on a Debian unstable 
i386 virtual machine when the seccomp filter is enabled. After tracing 
chronyd, it appears that the waitpid() system call isn’t in the seccomp 
filter whitelist. Patch attached!

Cheers,
Vincent

From 816e120580edba67eeb6ed92bd7d0775bb276a81 Mon Sep 17 00:00:00 2001
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Thu, 28 Feb 2019 16:43:56 +0100
Subject: [PATCH] sys_linux: allow waitpid in seccomp filter

---
 sys_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys_linux.c b/sys_linux.c
index aee5a5e..ebbeaae 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -493,7 +493,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
     SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
     SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
-    SCMP_SYS(wait4),
+    SCMP_SYS(wait4), SCMP_SYS(waitpid),
     /* Memory */
     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
-- 
2.20.1

Attachment: signature.asc
Description: PGP signature