0.14.3: seccomp: add syscalls

Add syscalls for Ubuntu 22.04.
2 years ago · 771822da1a
parent fc84ad2e9b
commit 771822da1a
2 changed files with 18 additions and 6 deletions
--- a/src/restrict_process_seccomp.c
+++ b/src/restrict_process_seccomp.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2020, Michael Santos <michael.santos@gmail.com>
+/* Copyright (c) 2017-2022, Michael Santos <michael.santos@gmail.com>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -48,7 +48,7 @@
               offsetof(struct seccomp_data, args[(_arg_nr)])),                \
      BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_arg_val), 0, 1),                   \
      BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), /* reload syscall number;  \
-                                                       all rules expect it in                                                            \
+                                                       all rules expect it in  \
                                                       accumulator */          \
      BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr))

@ -164,6 +164,9 @@ int restrict_process_init(xmppipe_state_t *state) {
 #ifdef __NR_newfstatat
      SC_ALLOW(newfstatat),
 #endif
+#ifdef __NR_getdents64
+      SC_ALLOW(getdents64),
+#endif

 /* uuid */
 #ifdef __NR_gettimeofday
@ -200,13 +203,13 @@ int restrict_process_init(xmppipe_state_t *state) {
 #ifdef __NR_fstat64
      SC_ALLOW(fstat64),
 #endif
-#ifdef __NR_getrandom
-      SC_ALLOW(getrandom),
-#endif

 #ifdef __NR_getppid
      SC_ALLOW(getppid),
 #endif
+#ifdef __NR_getrandom
+      SC_ALLOW(getrandom),
+#endif
 #ifdef __NR_gettid
      SC_ALLOW(gettid),
 #endif
@ -379,10 +382,19 @@ int restrict_process_stdin(xmppipe_state_t *state) {
 #ifdef __NR_fstat64
      SC_ALLOW(fstat64),
 #endif
+#ifdef __NR_newfstatat
+      SC_ALLOW(newfstatat),
+#endif
+#ifdef __NR_getdents64
+      SC_ALLOW(getdents64),
+#endif

 #ifdef __NR_getppid
      SC_ALLOW(getppid),
 #endif
+#ifdef __NR_getrandom
+      SC_ALLOW(getrandom),
+#endif
 #ifdef __NR_gettid
      SC_ALLOW(gettid),
 #endif
--- a/src/xmppipe.h
+++ b/src/xmppipe.h
@ -27,7 +27,7 @@
 #include "strtonum.h"
 #endif

-#define XMPPIPE_VERSION "0.14.2"
+#define XMPPIPE_VERSION "0.14.3"
 #define XMPPIPE_RESOURCE "xmppipe"

 #define XMPPIPE_STREQ(a, b) (strcmp((a), (b)) == 0)