From de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 27 Mar 2022 18:34:25 -0400 Subject: [PATCH] Sandbox: Permit the clone3 system call Apparently glibc-2.34 uses clone3, when previously it just used clone. Closes ticket #40590. --- changes/clone3-sandbox | 3 +++ src/lib/sandbox/sandbox.c | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 changes/clone3-sandbox diff --git a/changes/clone3-sandbox b/changes/clone3-sandbox new file mode 100644 index 0000000000..dac8fe72da --- /dev/null +++ b/changes/clone3-sandbox @@ -0,0 +1,3 @@ + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 and + later. Closes ticket 40590. diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index 8f577b0660..df676fad2f 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -144,6 +144,9 @@ static int filter_nopar_gen[] = { SCMP_SYS(clock_gettime), SCMP_SYS(close), SCMP_SYS(clone), +#ifdef __NR_clone3 + SCMP_SYS(clone3), +#endif SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), #ifdef __NR_epoll_pwait