Commit b0fc5016 authored by zsugabubus's avatar zsugabubus Committed by Sebastian Ramacher

Fix seccomp filters in strict mode

parent 82783770
Pipeline #242 passed with stages
in 1 minute and 52 seconds
......@@ -163,6 +163,7 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(getgid);
ALLOW_RULE(getuid);
ALLOW_RULE(getpid);
ALLOW_RULE(gettid);
/* ALLOW_RULE (getpeername); */
ALLOW_RULE(getresgid);
ALLOW_RULE(getresuid);
......@@ -219,6 +220,9 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(writev);
ALLOW_RULE(wait4); /* trying to open links should not crash the app */
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0);
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0);
/* Special requirements for ioctl, allowed on stdout/stderr */
ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));
ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 2));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment