Re: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp fi

Re: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev <chrony-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Fri, 15 Mar 2019 15:29:10 +0100

On Fri, Mar 15, 2019 at 12:22:15AM +0100, Vincent Blut wrote:

Hey Miroslav,
Here is my work to make chronyd usuable on Debian 9 (current stable)arm64 with the seccomp filter enabled.


Just tested on Debian unstable to check for any missing syscalls.
Seems good so far.

Cheers,
Vincent

From 02f59682ce74547009d981e4595f9a0ea87a962c Mon Sep 17 00:00:00 2001
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Fri, 15 Mar 2019 00:03:24 +0100
Subject: [PATCH] sys_linux: allow further syscalls in seccomp filter

These are needed on arm64.
---
sys_linux.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys_linux.c b/sys_linux.c
index e71dcf8..6ae7c0d 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int level)
    SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
    /* Filesystem */
    SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
-    SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
-    SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
-    SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+    SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat),
+    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
+    SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat),
+    SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64),
+    SCMP_SYS(unlink), SCMP_SYS(unlinkat),
    /* Socket */
    SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
    SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int level)
    SCMP_SYS(socketcall),
    /* General I/O */
    SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
-    SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select),
-    SCMP_SYS(set_robust_list), SCMP_SYS(write),
+    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
+    SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
    /* Miscellaneous */
    SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
  };
--
2.20.1

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter
  - From: Miroslav Lichvar

References:
- [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter
  - From: Vincent Blut

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter
Next by Date: [chrony-dev] [GIT] chrony/chrony.git branch master updated. 3.4-16-g2ddd0ae
Previous by thread: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter
Next by thread: Re: [chrony-dev] [PATCH] sys_linux: allow further syscalls in seccomp filter

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/