epoll_ctl

2024-11-11 05:33:47 +01:00 · 2013-07-31 00:27:14 +03:00 · 2013-07-31 00:27:14 +03:00 · f0840ed4c9
commit f0840ed4c9
parent 5fc0e13db8
1 changed files with 21 additions and 2 deletions
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -33,6 +33,7 @@
 #include <sys/mman.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
+#include <sys/epoll.h>
 #include <bits/signum.h>

 #include <seccomp.h>
@ -52,7 +53,6 @@ static int filter_nopar_gen[] = {
    SCMP_SYS(close),
    SCMP_SYS(clone),
    SCMP_SYS(epoll_create),
-    SCMP_SYS(epoll_ctl),
    SCMP_SYS(epoll_wait),
    SCMP_SYS(fcntl),

@ -326,6 +326,24 @@ sb_fcntl64(scmp_filter_ctx ctx)
 }
 #endif

+static int
+sb_epoll_ctl(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
+  if (rc)
+    return rc;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
 static sandbox_filter_func_t filter_func[] = {
    sb_rt_sigaction,
    sb_execve,
@ -335,7 +353,8 @@ static sandbox_filter_func_t filter_func[] = {
    sb_open,
    sb_openat,
    sb_clock_gettime,
-    sb_fcntl64
+    sb_fcntl64,
+    sb_epoll_ctl
 };

 const char*