From 682c2252a564be67fd4fa817d535df0ddc1c758a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 6 Jan 2014 04:27:58 -0500 Subject: [PATCH] Fix some seccomp2 issues Fix for #10563. This is a compatibility issue with libseccomp-2.1. I guess you could call it a bugfix on 0.2.5.1? --- changes/seccomp2-fixes | 3 +++ src/common/sandbox.c | 10 ++++++++++ 2 files changed, 13 insertions(+) create mode 100644 changes/seccomp2-fixes diff --git a/changes/seccomp2-fixes b/changes/seccomp2-fixes new file mode 100644 index 0000000000..600feecd11 --- /dev/null +++ b/changes/seccomp2-fixes @@ -0,0 +1,3 @@ + o Minor bugfixes: + - Fix compilation warnings and startup issues when running with + libseccomp-2.1.0. Fixes bug 10563. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 7ef577dbec..0b67b18973 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -250,6 +250,7 @@ static int sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + (void)filter; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ), @@ -403,6 +404,14 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, + SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), + SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK), + SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK), @@ -504,6 +513,7 @@ static int sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + (void) filter; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));