Archives
/
xmppipe
mirror of https://github.com/msantos/xmppipe
2
0
Fork 0
Code Issues Releases Wiki Activity

seccomp: allowlist for termux/android 12

Browse Source 
Update syscalls in seccomp policy for termux on android 12. With this
change, xmppipe works with the seccomp process restrictions on termux
but will still crash on exit:

* prctl(PR_SET_VMA): prctl(2) is not allowed by the stdin restrictions

* if prctl(2) is allowed, xmppipe aborts with "bad syscall" on exit. The
  system call doesn't show up in strace(1).
master
Michael Santos 2 years ago
parent e1cbff0f14
commit 15859bb11e
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File

21
src/restrict_process_seccomp.c
Unescape Escape View File

@ -135,6 +135,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_openat
SC_ALLOW(openat),
#endif
#ifdef __NR_readlinkat
SC_ALLOW(readlinkat),
#endif
#ifdef __NR_close
SC_ALLOW(close),
#endif
@ -188,6 +191,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_fstat
SC_ALLOW(fstat),
#endif
#ifdef __NR_fstatfs
SC_ALLOW(fstatfs),
#endif
#ifdef __NR_fstat64
SC_ALLOW(fstat64),
#endif
@ -229,6 +235,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_munmap
SC_ALLOW(munmap),
#endif
#ifdef __NR_mremap
SC_ALLOW(mremap),
#endif
#ifdef __NR_mprotect
SC_ALLOW(mprotect),
#endif
@ -242,6 +251,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_read
SC_ALLOW(read),
#endif
#ifdef __NR_pread64
SC_ALLOW(pread64),
#endif
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#endif
@ -267,6 +279,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_mmap
SC_ALLOW(mmap),
#endif
#ifdef __NR_mremap
SC_ALLOW(mremap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(mmap2),
#endif
@ -352,6 +367,9 @@ int restrict_process_stdin(xmppipe_state_t *state) {
#ifdef __NR_fstat
SC_ALLOW(fstat),
#endif
#ifdef __NR_fstatfs
SC_ALLOW(fstatfs),
#endif
#ifdef __NR_fstat64
SC_ALLOW(fstat64),
#endif
@ -393,6 +411,9 @@ int restrict_process_stdin(xmppipe_state_t *state) {
#ifdef __NR_read
SC_ALLOW(read),
#endif
#ifdef __NR_pread64
SC_ALLOW(pread64),
#endif
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#endif

Write Preview
Loading…
Cancel
Save