summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sandbox-seccomp-filter.c')
-rw-r--r--crypto/openssh/sandbox-seccomp-filter.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/openssh/sandbox-seccomp-filter.c b/crypto/openssh/sandbox-seccomp-filter.c
index c0c17c2..b6f6258 100644
--- a/crypto/openssh/sandbox-seccomp-filter.c
+++ b/crypto/openssh/sandbox-seccomp-filter.c
@@ -25,6 +25,8 @@
*/
/* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
+/* XXX it should be possible to do logging via the log socket safely */
+
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
/* Use the kernel headers in case of an older toolchain. */
# include <asm/siginfo.h>
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
SC_DENY(open, EACCES),
+ SC_DENY(stat, EACCES),
SC_ALLOW(getpid),
SC_ALLOW(gettimeofday),
SC_ALLOW(clock_gettime),
@@ -115,6 +118,10 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_mmap
SC_ALLOW(mmap),
#endif
+#ifdef __dietlibc__
+ SC_ALLOW(mremap),
+ SC_ALLOW(exit),
+#endif
SC_ALLOW(munmap),
SC_ALLOW(exit_group),
#ifdef __NR_rt_sigprocmask
OpenPOWER on IntegriCloud