commit b9d81282e0dbfdae795b38c26879716d7860bcf9 Author: Peter Gerber pgerber@tocco.ch Date: Sun Jan 5 15:48:54 2020 +0100

Fix sandbox crash during reload of logging configuration

Allow calls to dup() which was introduced in commit a22fbab986.

From a security perspective, I don't think this should impact the security of the sandbox significantly. As far as I can tell, there is nothing an adversary can do with a duplicated FD that can't be done with the original. --- changes/bug32877 | 4 ++++ src/lib/sandbox/sandbox.c | 1 + 2 files changed, 5 insertions(+)

diff --git a/changes/bug32877 b/changes/bug32877 new file mode 100644 index 000000000..96fe1af70 --- /dev/null +++ b/changes/bug32877 @@ -0,0 +1,4 @@ +o Minor bugfixes (linux seccomp sandbox): + - Fix crash when reloading logging configuration while the + experimental sandbox is enabled. Fixes bug 29150; bugfix + on 0.4.1.7. Patch by Peter Gerber. diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index faaf463f2..7e6354d88 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -143,6 +143,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(clock_gettime), SCMP_SYS(close), SCMP_SYS(clone), + SCMP_SYS(dup), SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), #ifdef __NR_epoll_pwait