diff options
| author | Gilad Arnold <garnold@google.com> | 2015-08-26 17:20:47 -0700 |
|---|---|---|
| committer | Gilad Arnold <garnold@google.com> | 2015-08-26 18:12:13 -0700 |
| commit | 838d8b3ff0194a05fdac52e2ad66e12d8572aa4e (patch) | |
| tree | 88fc41c50a0832cb0182d9ea61dea508afb550cd | |
| parent | a0f9aa398cbd2dc7e8e9d2fe6310fb422641655d (diff) | |
| download | tlsdate-838d8b3ff0194a05fdac52e2ad66e12d8572aa4e.tar.gz | |
Properly handle legacy/new syscalls.
Some platforms/archs don't support all legacy syscalls (open, fstat)
whereas others might not support new variants (openat, fstatat,
newfstatat). Furthermore, it is hard to tell how a standard API call
maps to an actual syscall (e.g. open() might use __NR_openat).
This ensures that we allow/deny the complete set of calls covering the
same functionality, whichever is present.
This fixes a build error in aosp_arm64 (__NR_open not supported).
Bug: 22373707
Change-Id: I45e86201836b18d5dd1bcd12dd4ffd1ae5071214
| -rw-r--r-- | src/seccomp.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/seccomp.c b/src/seccomp.c index 2328fb4..92c6e80 100644 --- a/src/seccomp.c +++ b/src/seccomp.c @@ -88,16 +88,37 @@ enable_setter_seccomp (void) SC_ALLOW (time), #endif +#ifdef __NR_lseek SC_ALLOW (lseek), +#endif +#ifdef __NR_llseek + SC_ALLOW (llseek), +#endif +#ifdef __NR_lseek64 + SC_ALLOW (lseek64), +#endif SC_ALLOW (close), SC_ALLOW (munmap), SC_ALLOW (exit_group), SC_ALLOW (exit), +#ifdef __NR_open SC_DENY (open, EINVAL), +#endif +#ifdef __NR_openat + SC_DENY (openat, EINVAL), +#endif SC_DENY (fcntl, EINVAL), +#ifdef __NR_fstat SC_DENY (fstat, EINVAL), +#endif +#ifdef __NR_fstatat + SC_DENY (fstatat, EINVAL), +#endif +#ifdef __NR_newfstatat + SC_DENY (newfstatat, EINVAL), +#endif #ifdef __NR_mmap SC_DENY (mmap, EINVAL), #endif |