commit b9d81282e0dbfdae795b38c26879716d7860bcf9
Author: Peter Gerber <pgerber(a)tocco.ch>
Date: Sun Jan 5 15:48:54 2020 +0100
Fix sandbox crash during reload of logging configuration
Allow calls to dup() which was introduced in commit a22fbab986.
From a security perspective, I don't think this should impact the
security of the sandbox significantly. As far as I can tell, there
is nothing an adversary can do with a duplicated FD that can't be
done with the original.
---
changes/bug32877 | 4 ++++
src/lib/sandbox/sandbox.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/changes/bug32877 b/changes/bug32877
new file mode 100644
index 000000000..96fe1af70
--- /dev/null
+++ b/changes/bug32877
@@ -0,0 +1,4 @@
+o Minor bugfixes (linux seccomp sandbox):
+ - Fix crash when reloading logging configuration while the
+ experimental sandbox is enabled. Fixes bug 29150; bugfix
+ on 0.4.1.7. Patch by Peter Gerber.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index faaf463f2..7e6354d88 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -143,6 +143,7 @@ static int filter_nopar_gen[] = {
SCMP_SYS(clock_gettime),
SCMP_SYS(close),
SCMP_SYS(clone),
+ SCMP_SYS(dup),
SCMP_SYS(epoll_create),
SCMP_SYS(epoll_wait),
#ifdef __NR_epoll_pwait