Fix sandbox use with systemd. bug 16212.

This commit is contained in:
Nick Mathewson 2015-05-28 14:05:46 -04:00
parent 8ca3773f68
commit 97330ced0c
2 changed files with 15 additions and 0 deletions

5
changes/bug16212 Normal file
View File

@ -0,0 +1,5 @@
o Minor bugfixes (sandbox, systemd):
- Allow systemd connections to work with the Linux seccomp2 sandbox
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha.
Patch by Peter Palfrader.

View File

@ -170,6 +170,7 @@ static int filter_nopar_gen[] = {
SCMP_SYS(read), SCMP_SYS(read),
SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigreturn),
SCMP_SYS(sched_getaffinity), SCMP_SYS(sched_getaffinity),
SCMP_SYS(sendmsg),
SCMP_SYS(set_robust_list), SCMP_SYS(set_robust_list),
#ifdef __NR_sigreturn #ifdef __NR_sigreturn
SCMP_SYS(sigreturn), SCMP_SYS(sigreturn),
@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
SCMP_CMP(2, SCMP_CMP_EQ, 0)); SCMP_CMP(2, SCMP_CMP_EQ, 0));
if (rc)
return rc;
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
SCMP_CMP(2, SCMP_CMP_EQ, 0));
if (rc)
return rc;
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),