Merge branch 'maint-0.3.2' into maint-0.3.3

2024-11-10 21:23:58 +01:00 · 2018-08-08 09:26:23 -04:00 · 2018-08-08 09:26:23 -04:00 · 00536254b7
commit 00536254b7
parent 2a6c1585b0 8e68fe7e1c
2 changed files with 6 additions and 1 deletions
--- a/changes/bug25440
+++ b/changes/bug25440
@ -0,0 +1,5 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Fix a bug in out sandboxing rules for the openat() syscall.
+      Previously, no openat() call would be permitted, which would break
+      filesystem operations on recent glibc versions. Fixes bug 25440;
+      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -450,7 +450,7 @@ allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
 {
  if (use_openat) {
    return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
-                              SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
+                              SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD),
                              SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
  } else {
    return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),