28 lines
742 B
Diff
28 lines
742 B
Diff
From 62ee6ab013285b8f6dce1f729d97a1c31abf5071 Mon Sep 17 00:00:00 2001
|
|
From: Bryan Steele <brynet@gmail.com>
|
|
Date: Tue, 3 Aug 2021 21:16:44 -0400
|
|
Subject: [PATCH] portable; Non-fatally deny newfstatat/statx(2) syscalls used
|
|
by newer glibc.
|
|
|
|
---
|
|
seccomp-sandbox.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/seccomp-sandbox.c b/seccomp-sandbox.c
|
|
index d65b813..03d70dd 100644
|
|
--- a/seccomp-sandbox.c
|
|
+++ b/seccomp-sandbox.c
|
|
@@ -132,6 +132,12 @@ static const struct sock_filter filt_insns[] = {
|
|
#ifdef __NR_openat
|
|
SC_DENY(__NR_openat, EACCES),
|
|
#endif
|
|
+#ifdef __NR_newfstatat
|
|
+ SC_DENY(__NR_newfstatat, EACCES),
|
|
+#endif
|
|
+#ifdef __NR_statx
|
|
+ SC_DENY(__NR_statx, EACCES),
|
|
+#endif
|
|
|
|
/* Syscalls to permit. */
|
|
#ifdef __NR_brk
|