diff options
Diffstat (limited to 'crypto/openssh/sandbox-seccomp-filter.c')
-rw-r--r-- | crypto/openssh/sandbox-seccomp-filter.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/openssh/sandbox-seccomp-filter.c b/crypto/openssh/sandbox-seccomp-filter.c index c0c17c2..b6f6258 100644 --- a/crypto/openssh/sandbox-seccomp-filter.c +++ b/crypto/openssh/sandbox-seccomp-filter.c @@ -25,6 +25,8 @@ */ /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */ +/* XXX it should be possible to do logging via the log socket safely */ + #ifdef SANDBOX_SECCOMP_FILTER_DEBUG /* Use the kernel headers in case of an older toolchain. */ # include <asm/siginfo.h> @@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), SC_DENY(open, EACCES), + SC_DENY(stat, EACCES), SC_ALLOW(getpid), SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), @@ -115,6 +118,10 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_mmap SC_ALLOW(mmap), #endif +#ifdef __dietlibc__ + SC_ALLOW(mremap), + SC_ALLOW(exit), +#endif SC_ALLOW(munmap), SC_ALLOW(exit_group), #ifdef __NR_rt_sigprocmask |