From 5baea851892bcc2734c0e62e96b8d2d6e2626c51 Mon Sep 17 00:00:00 2001
From: Cristian Toader <cristian.matei.toader@gmail.com>
Date: Tue, 30 Jul 2013 19:37:28 +0300
Subject: [PATCH] removed open flags (postponed), added mmap2 flags

---
 src/common/sandbox.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 8e7796bc5c..b55586b1ca 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -58,7 +58,13 @@ static sandbox_static_cfg_t filter_static[] = {
     {SCMP_SYS(socketcall), PARAM_NUM, 0, 18, 0},
 #endif
 
-    {SCMP_SYS(open), PARAM_NUM, 1, O_RDONLY | O_CLOEXEC, 0}
+#ifdef __NR_mmap2
+    {SCMP_SYS(mmap2), PARAM_NUM, 2, PROT_READ, 0},
+    {SCMP_SYS(mmap2), PARAM_NUM, 2, PROT_READ|PROT_WRITE, 0},
+    {SCMP_SYS(mmap2), PARAM_NUM, 3, MAP_PRIVATE|MAP_ANONYMOUS, 0},
+    {SCMP_SYS(mmap2), PARAM_NUM, 3, MAP_PRIVATE, 0},
+#endif
+
 };
 
 /** Variable used for storing all syscall numbers that will be allowed with the
@@ -111,9 +117,6 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(mkdir),
     SCMP_SYS(mlockall),
     SCMP_SYS(mmap),
-#ifdef __NR_mmap2
-    SCMP_SYS(mmap2),
-#endif
     SCMP_SYS(mprotect),
     SCMP_SYS(mremap),
     SCMP_SYS(munmap),