commit f0840ed4c9f17f199d73b8b9788b08af0265026d Author: Cristian Toader <cristian.matei.toader@gmail.com> Date: Wed Jul 31 00:27:14 2013 +0300 epoll_ctl --- src/common/sandbox.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index acf3038..6de95da 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -33,6 +33,7 @@ #include <sys/mman.h> #include <sys/syscall.h> #include <sys/types.h> +#include <sys/epoll.h> #include <bits/signum.h> #include <seccomp.h> @@ -52,7 +53,6 @@ static int filter_nopar_gen[] = { SCMP_SYS(close), SCMP_SYS(clone), SCMP_SYS(epoll_create), - SCMP_SYS(epoll_ctl), SCMP_SYS(epoll_wait), SCMP_SYS(fcntl), @@ -326,6 +326,24 @@ sb_fcntl64(scmp_filter_ctx ctx) } #endif +static int +sb_epoll_ctl(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD)); + if (rc) + return rc; + + return 0; +} + static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_execve, @@ -335,7 +353,8 @@ static sandbox_filter_func_t filter_func[] = { sb_open, sb_openat, sb_clock_gettime, - sb_fcntl64 + sb_fcntl64, + sb_epoll_ctl }; const char*