Sandbox: Permit the clone3 system call

Apparently glibc-2.34 uses clone3, when previously it just used
clone.

Closes ticket #40590.
This commit is contained in:
Nick Mathewson 2022-03-27 18:34:25 -04:00
parent 421ce94395
commit de3872656a
2 changed files with 6 additions and 0 deletions

3
changes/clone3-sandbox Normal file
View File

@ -0,0 +1,3 @@
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34 and
later. Closes ticket 40590.

View File

@ -144,6 +144,9 @@ static int filter_nopar_gen[] = {
SCMP_SYS(clock_gettime), SCMP_SYS(clock_gettime),
SCMP_SYS(close), SCMP_SYS(close),
SCMP_SYS(clone), SCMP_SYS(clone),
#ifdef __NR_clone3
SCMP_SYS(clone3),
#endif
SCMP_SYS(epoll_create), SCMP_SYS(epoll_create),
SCMP_SYS(epoll_wait), SCMP_SYS(epoll_wait),
#ifdef __NR_epoll_pwait #ifdef __NR_epoll_pwait