[chrony-dev] [PATCH] sys_linux: allow waitpid in seccomp filter

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


Hi,

I just observed that chronyd isn’t properly stopped on a Debian unstable i386 virtual machine when the seccomp filter is enabled. After tracing chronyd, it appears that the waitpid() system call isn’t in the seccomp filter whitelist. Patch attached!

Cheers,
Vincent
From 816e120580edba67eeb6ed92bd7d0775bb276a81 Mon Sep 17 00:00:00 2001
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Thu, 28 Feb 2019 16:43:56 +0100
Subject: [PATCH] sys_linux: allow waitpid in seccomp filter

---
 sys_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys_linux.c b/sys_linux.c
index aee5a5e..ebbeaae 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -493,7 +493,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
     SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
     SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
-    SCMP_SYS(wait4),
+    SCMP_SYS(wait4), SCMP_SYS(waitpid),
     /* Memory */
     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
-- 
2.20.1

Attachment: signature.asc
Description: PGP signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/