Add syscall sandboxing (seccomp-bpf)

author: practicalswift <practicalswift@users.noreply.github.com> 2021-10-01 13:53:59 +0000
committer: practicalswift <practicalswift@users.noreply.github.com> 2021-10-01 13:51:10 +0000
commit: 4747da3a5b639b5a336b737e7e3cbf060cf2efcf (patch)
tree: c375c8eff3a7f4b02f66247b52dfee286e7fcbae /src/checkqueue.h
parent: e69cbac628bfdca4a8e4ead821190eaf5b6b3d07 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/checkqueue.h b/src/checkqueue.h
index 4ceeb3600a..7c20e2013c 100644
--- a/src/checkqueue.h
+++ b/src/checkqueue.h
@@ -7,6 +7,7 @@
 
 #include <sync.h>
 #include <tinyformat.h>
+#include <util/syscall_sandbox.h>
 #include <util/threadnames.h>
 
 #include <algorithm>
@@ -151,6 +152,7 @@ public:
         for (int n = 0; n < threads_num; ++n) {
             m_worker_threads.emplace_back([this, n]() {
                 util::ThreadRename(strprintf("scriptch.%i", n));
+                SetSyscallSandboxPolicy(SyscallSandboxPolicy::VALIDATION_SCRIPT_CHECK);
                 Loop(false /* worker thread */);
             });
         }
author	practicalswift <practicalswift@users.noreply.github.com>	2021-10-01 13:53:59 +0000
committer	practicalswift <practicalswift@users.noreply.github.com>	2021-10-01 13:51:10 +0000
commit	4747da3a5b639b5a336b737e7e3cbf060cf2efcf (patch)
tree	c375c8eff3a7f4b02f66247b52dfee286e7fcbae /src/checkqueue.h
parent	e69cbac628bfdca4a8e4ead821190eaf5b6b3d07 (diff)